Mediator Evaluating Consumers at Run-Time
After you have successfully registered as a consumer for a particular API, in order to call an API you must provide your API key or OAuth2 access token in your HTTP request header.
If you use an API key to call the API, the client must provide the API key in the HTTP request header or as a query string parameter. The use of this key establishes the client's identity and authentication.
If you use an OAuth2 access token to call the API, the client must provide the OAuth2 access token as an integral part of the HTTP request header. An OAuth2 token is a unique token that a client uses to invoke APIs using the OAuth 2.0 protocol. The token contains an identifier that uniquely identifies the client. The use of a token establishes the client's identity and is used for both the authentication and authorization.
In addition, the API provider can include run-time security actions in the run-time governance rules for APIs. Security actions can validate clients' request and response messages (through WSS X.509 certificates, WSS username tokens, and so on) or identify clients (through IP address or hostname). To enforce client validation, Mediator maintains a list of consumer applications specified in CentraSite that are authorized to access the API published to Mediator.