Products
Set a plan's security level
Pick the authentication method for a plan on its Security tab. Your choice sets the credential type a subscriber receives, from an API key to OAuth2 Client Credentials.
You set a plan's authentication method on its Security tab. The method you pick, shown as API Security Level, decides the credential type every subscriber to that plan receives. You open it from the plan editor, alongside the APIs, Documentation, and Limits tabs.
What does the Security tab set?
The Security tab sets the plan's authentication method, labelled API Security Level. The method you choose is stored on the plan and decides the credential type a subscriber receives when they create their authorization.
A single dropdown drives the tab. Picking a method updates the explanation below it and, on save, determines what every subscriber to the plan gets: an API key, an OAuth2 Client ID and Secret, or Private Key JWT. The credential type follows the plan, not the developer.
What authentication methods can I pick?
The methods come from a fixed set of levels, but only the ones your plan's source supports appear in the dropdown. Each maps to a credential type on the subscriber side.
| Security level (label in the dropdown) | What it is | Credential a subscriber receives |
|---|---|---|
| Level 0 - Basic Auth - API Key | A static API key sent with each request. | An API key, and optionally a second key. |
| Level 1 - Intermediate - Server to Server - JWT | A signed JWT for server-to-server calls. | A token-based server credential. |
| Level 1 - Intermediate - Server to Server - OAuth 2.0: Client Credentials with Client Secret Basic | OAuth2 client credentials authenticated with a client secret. | A Client ID and Client Secret. |
| Level 1 - Intermediate - Server to Server - OAuth 2.0: Client Credentials with Private Key JWT | OAuth2 client credentials authenticated with a signed JWT. | A Client ID and a JWKS URL, with no client secret. |
| Level 2 - Advanced - Mobile and Web Client - OAuth 2.0: Code Flow | The OAuth2 authorization code flow for user-facing apps. | OAuth2 client credentials for the code flow. |
| Level 3 - Evolved - Mobile and Web Client - Centralized Claims | A centralized-claims flow for user-facing apps. | OAuth2 client credentials with centralized claims. |
The dropdown is source-aware. A Gateway-bound plan lists the methods its gateway advertises. A plan bound to an Authorization Server lists the methods that server discovered, which Apiable reads as client_secret_basic, private_key_jwt, or api_key. Methods the source does not support do not appear.
How do I set the security level?
Open the plan, go to the Security tab, pick a method from API Security Level, then save the plan.
- Open your product, open the plan, and select the Security tab.
- Open the API Security Level dropdown.
- Pick a method. The list shows only the methods your gateway or Authorization Server supports.
- Read the explanation under the dropdown to confirm the method matches the integration pattern you want.
- Click Save Changes on the plan.
The dropdown is clearable. If you clear it, the plan has no security level set, and a Gateway-bound plan cannot generate credentials until you pick one again.
How does the security level relate to the credential a subscriber receives?
It sets it. The plan's security level is the single input that decides which credential type a subscription holds. The developer does not choose; they receive whatever the plan defines.
- Level 0 - Basic Auth - API Key issues an API key.
- Client Credentials with Client Secret Basic issues a Client ID and Client Secret.
- Client Credentials with Private Key JWT issues a Client ID and uses a JWKS URL, with no client secret.
See API credentials for what a developer does with each credential type, and Access control for how scopes ride inside the OAuth2 token on plans that use scope-based access control.
Troubleshooting
Match what the Security tab shows to the fix.
| What you see | What to do |
|---|---|
| Save is disabled with "Pick a security method on the Security tab to save." | The plan is bound to an Authorization Server. Open the Security tab and pick a method from API Security Level. |
| "Security settings will be available after configuring APIs." | The plan has no gateway and no Authorization Server binding yet. Add APIs and choose a coupling on the APIs tab first. |
| "No supported auth methods available. Refresh the Authorization Server's discovery document." | The bound server has not been refreshed. Re-run discovery on the Authorization Server, then reopen the Security tab. |
| "The Authorization Server this plan is bound to is no longer available. Re-bind the plan to a valid Authorization Server on the Access Control tab." | The bound server was deleted or is unreachable. Re-bind the plan on the Access Control tab. |
| Save fails with "The selected auth method ... is not supported by the bound authorization server." | The picked method is not in the server's discovered methods. Pick a supported method, or refresh the server's discovery document. |
| The dropdown and fields are read-only | The plan has active or pending subscriptions. Create a new plan version to change the security level. |