How can I identify who is consuming my APIs?

You can map the consumer of an API through the client ID and/or access token informed in the request. In order to see the credentials informed, you need to insert interceptors into the API’s flow (at the level of the API as a whole, of a resource or operation).

But there are two different ways of retrieving the client ID and/or access token:

To show these ways in practice, let’s take a look at some requests to an example API called Documentation Images.

In the image below, we see the record of a request made to a resource into whose flow we only included a Log interceptor. We sent a request that has client_id and access_token in the headers, but the client ID is not from any app registered on the Manager. On the API Trace, we see the record:

Clicking on it, you are directed to the Trace’s OVERVIEW tab. As we didn’t include interceptors that validate the client ID or access token into the API’s flow, they are not validated nor displayed in the corresponding fields:

However, as we placed the Log interceptor into the flow, we can see the details of the request by clicking on the GATEWAY TRACE tab and then on the icon next to Request log. The client_id and access_token informed in the request are displayed in the headers:

Now, if we make a call to the API using the credentials of an app registered on the Manager and with client ID and token validation, the information is more complete. First, we added the OAuth interceptor to the flow of the resource that will be called. In the request, we inform the app’s client_ID and access_token in the headers. In this case, the API Trace already displays the app and the token owner:

Clicking on the record, the OVERVIEW tab displays the client ID (encrypted in md5) and the access token:

If you also added a Log interceptor, you will be able to see the same credentials in the details of the GATEWAY TRACE tab.