Authentication

EdgeWrap utilizes a dual-header authentication model. All requests routed through the edge proxy use API keys, while control plane configuration requests utilize bearer tokens.

Proxy Request Authentication (x-api-key)

To route traffic through the EdgeWrap gateway to your origin, your clients must authenticate using an API key. Send the key in the x-api-key header with every request.

Send a request to the edge proxy
curl https://{your-project}.edgewrap.pro/v1/products \
  -H "x-api-key: ek_live_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6"

Generating API Keys

API keys are generated and managed directly in the EdgeWrap dashboard. You can define key properties to control access and protect against misuse:

  • Environment: Scoped to live or test environments (test keys have separate usage caps).
  • Platform Restrictions: Lock keys down to specific platforms: Web (checks CORS Origin/Referer), Mobile, Desktop, or Server-to-Server.
  • Server Keys: Keys designated for Server-to-Server communication require both an API key and a secret header (x-api-secret) for an extra layer of protection.
  • Rate Limits: Configure custom requests-per-minute (RPM) limits and daily request caps on a per-key basis.
Tip: Security Best Practice: Never expose your Server keys in client-side applications (browsers or mobile apps). Use Web keys with strict CORS origin Whitelists instead.

Forwarding Client Authorization Headers

If your client applications already include an Authorization header (such as Authorization: Bearer <user-token> or Basic Auth credentials), EdgeWrap is designed to be a transparent proxy.

EdgeWrap verifies the client-to-gateway access using the x-api-key, and then forwards your client's standard Authorization header and cookies directly to your origin backend server.

Clientx-api-key: ek_...
Authorization: Bearer jwt_...
EdgeWrap GatewayValidates x-api-key
Your BackendAuthorization: Bearer jwt_...

This allows your backend application to run its own user session and token verification logic exactly as it does today, without needing to modify your application's authentication code.

Dashboard & Management API Authentication

Administrative operations (e.g. creating projects, listing analytics logs, updating WAF rules via API) are authenticated using the standard Authorization header with a bearer token.

Authenticate control plane requests
curl https://server.edgewrap.pro/v1/projects \
  -H "Authorization: Bearer <your_session_token>"

When you log into the EdgeWrap Dashboard at https://app.edgewrap.pro, this token is managed for you automatically by the frontend. If you need to make custom management API requests directly, you can copy your active session token from your account settings in the dashboard.