Capabilities

The ApiShare Connector for RedHat 3scale enables seamless integration between ApiShare and the third-party API gateway, ensuring automated synchronization and governance across multiple instances. The connector is triggered by user actions within ApiShare, particularly in the Subscription Management and Key Set Management functionalities. For each supported feature, refer to the corresponding sections of the documentation for further details.

API Subscription Management

Subscription Activation

Once a subscription request is approved in ApiShare, the connector automatically provisions the subscription on 3scale, enabling the consuming application to access the API.

During the first subscription of an application to a public API, the following entities are created and managed in 3scale:

• Account (Organization)

  • This account is traceable in ApiShare through the organizationMappings correlation document.

• Application Plan

  • An Application Plan is defined for the API subscription, establishing the consumption policies.

  • This entity is stored in ApiShare via the applicationMappings correlation document.

• Application

  • The application is registered in 3scale and linked to the selected Application Plan.

  • The application ID (application_id) is generated and stored in ApiShare.

The authentication key (apiKeyor app_id/app_key) is generated for the first subscription and remains unique for all future API subscriptions of the same application. This key is reused for subsequent API subscriptions, optimizing security and key management

Each of these entities is automatically provisioned and synchronized between ApiShare and 3scale, ensuring full governance of the API subscription lifecycle.

Subscription Suspension

Enables the temporary deactivation of an application's subscription to a single API on 3scale, restricting access while maintaining the subscription record. The API remains linked to the application, but its access is disabled.

The affected entity on 3scale is the Application. The Application it is suspended , not deleted. It remains present and can be reactivated later.

The subscription’s state is changed to suspended.

The enabled flag of the 3scale application is set to false, preventing API calls using the suspended subscription’s key.

Subscription Reactivation

Previously suspended subscriptions can be restored, granting the application access to the API again without requiring a new subscription request.

The 3scale application entity is resumed and the ApiShare subscription is updated in active state.

→ See Subscription Management.

Key Set Lifecycle Management

Authentication Key Retrieval

Allows the retrieval of authentication credentials for apiKey and appId authentication mechanisms from 3scale, ensuring applications can securely access APIs. When a user requests to retrieve an authentication key (apiKey/app_id) from the ApiShare portal, ApiShare SaaS triggers a REST API call to the 3scale connector. The agent synchronously fetches the authentication key associated with the subscription of the APP.

Information are retrieved using the GET request to the Application 3scale entity for a specific Account. Since the apiKey/app_id is unique for all API subscriptions of an ApiShare application, the connector can retrieve it from any subscription entry.

Very often, this administrative 3scale API is mediated by an API Gateway and requires an authentication step. This step can be executed by the connector defining the proper token endpoint issuer configuration. → See 3scale Connector configuration.

Revoke Key Set

Removes all application entities on 3scale that rely on a given Key Set, ensuring that the credentials are completely invalidated.

Automatic Key Set Rotation

Rotates authentication keys for all applications using a specific Key Set, maintaining security while minimizing service disruption.

The summary below outlines the essential 3scale updates that occur during the automated Key Set rotation process, ensuring smooth key transitions while maintaining API access governance.

• A new application is logically created on 3scale and linked to the existing one.

• A new key is generated and associated with the newly created application.

• The new key may be associated with an existing plan, avoiding the creation of a new one.

• After the grace period, managed by ApiShare, the previous key is removed.

• The old application associated with the expired key may be deleted if no longer needed.

• The new key is linked to the required API plans, ensuring continuity in API consumption.

Regenerate Key Set

When a user requests Key Set regeneration from the ApiShare portal (e.g., due to a compromised key), ApiShare triggers updates in 3scale accordingly.

The connector fetches all existing 3scale applications for the specific Key Set, then updates the user_key for each 3scale application. The new Application Key (apiKey or app_key) is assigned across all active applications. The regenerated key is now available and replaces the previous key.

Additional considerations

• Unique Key for All Subscriptions: Since the apiKey/app_id is unique across all API subscriptions for an application, ApiShare ensures that all subscriptions under the application are updated with the new key.

• The connector maintains key alignment across multiple 3scale instances.

• Impact on Suspended Subscriptions: If a subscription is in a Suspended state, it will be updated with the new key upon reactivation (resume). Otherwise, a different key might be generated for the resumed subscription.

Suspend Key Set

The suspension and reactivation of a Key Set in ApiShare trigger the same actions on 3scale as those performed for subscription suspension and reactivation. However, since a Key Set is associated with multiple 3scale applications and provides access to multiple APIs, its impact extends across multiple entities.

Actions on 3scale when a Key Set is Suspended

• Suspension of all related 3scale applications → All applications linked to the Key Set are suspended.

• Disabling API Access → The authentication keys associated with these applications are disabled, preventing further API calls.

• API Subscriptions Remain Linked but Inactive → The API subscriptions for suspended applications are not deleted, but they become inactive.

Reactivate Key Set

Restores a previously suspended Key Set, automatically re-enabling all applications that depend on it.

Actions on 3scale when a Key Set is Reactivated

• Reactivation of all previously suspended applications → All applications linked to the Key Set are restored.

• Re-enabling API Access → The authentication keys associated with these applications become active again, restoring API access.

• API Subscriptions become usable again → API subscriptions for these applications return to active status, resuming normal operation.

→ See Key Set Management.

Multi-Instance Management

The connector supports configurations with one or more 3scale instances, ensuring they remain continuously synchronized. A dedicated microservice retrieves specific work tasks from ApiShare, proactively managing configurations across instances. To guarantee operational reliability, agents operate based on a master-worker pattern.

API gateway object modeling