Authentication
EdgeWrap utilizes a dual-header authentication model. All requests routed through the edge proxy use API keys, while control plane configuration requests utilize bearer tokens.
Proxy Request Authentication (x-api-key)
To route traffic through the EdgeWrap gateway to your origin, your clients must authenticate using an API key. Send the key in the x-api-key header with every request.
curl https://{your-project}.edgewrap.pro/v1/products \
-H "x-api-key: ek_live_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6"Generating API Keys
API keys are generated and managed directly in the EdgeWrap dashboard. You can define key properties to control access and protect against misuse:
- Environment: Scoped to
liveortestenvironments (test keys have separate usage caps). - Platform Restrictions: Lock keys down to specific platforms: Web (checks CORS Origin/Referer), Mobile, Desktop, or Server-to-Server.
- Server Keys: Keys designated for Server-to-Server communication require both an API key and a secret header (
x-api-secret) for an extra layer of protection. - Rate Limits: Configure custom requests-per-minute (RPM) limits and daily request caps on a per-key basis.
Forwarding Client Authorization Headers
If your client applications already include an Authorization header (such as Authorization: Bearer <user-token> or Basic Auth credentials), EdgeWrap is designed to be a transparent proxy.
EdgeWrap verifies the client-to-gateway access using the x-api-key, and then forwards your client's standard Authorization header and cookies directly to your origin backend server.
Authorization: Bearer jwt_...
This allows your backend application to run its own user session and token verification logic exactly as it does today, without needing to modify your application's authentication code.
Dashboard & Management API Authentication
Administrative operations (e.g. creating projects, listing analytics logs, updating WAF rules via API) are authenticated using the standard Authorization header with a bearer token.
curl https://server.edgewrap.pro/v1/projects \
-H "Authorization: Bearer <your_session_token>"When you log into the EdgeWrap Dashboard at https://app.edgewrap.pro, this token is managed for you automatically by the frontend. If you need to make custom management API requests directly, you can copy your active session token from your account settings in the dashboard.