Thanks for the reply Martin. It seems we wrongly interpreted the use of the developer portal and the requesting of keys. If I am deducing this correctly, this would create the following use case when requesting/granting access to an internal API while using BA (omitting any system-specific steps):
1. Developer requests key using the portal
2. Admin opens key request and adds the generated credentials to a .htpasswd file
3. Developer uses the generated credentials to make a request
4. Admin is able to see statistics and optionally add extra rules/settings for this specific developer
Based on the authentication mechanism (BA), step 2 would differ, while the other steps mostly stay the same.
Granted that the above would be correct, could I assume that the developer portal/keys only apply when using an internal API, because step 2 would not be possible in case of an external API.
Could you verify this is correct?
To add some context, we are currently communicating with many external APIs and are looking for an API gateway to manage things like rate-limiting, credentials and request/response translation. So the main point of this thread is mostly about finding out in what manner the credentials part is applied.