Authentication is the process by which when an identity is presented to the application, the
application can validate the identity is in fact who they say they are. In terms of API's and
Apigility, identities are delivered to the application from the client through the use of the
Authorization request header. This header, if present, is parsed and utilized in one of the
configured authentication schemes. If no header is present, Apigility assigns a default identity
known as a "guest" identity. The important thing to note here is that authentication is not
something that needs to be turned on because it is always on. It just needs to be configured to handle when
an identity is presented to Apigility. If no authentication scheme is configured, and an identity
is presented in a way that Apigility cannot handle, or is not configured to handle, the "guest"
identity will be assigned.
Apigility delivers three methods to authenticate identities: HTTP Basic authentication, HTTP Digest authentication, and OAuth2 (by way of Brent Shaffer's PHP OAuth2 package). HTTP Basic and HTTP Digest authentication can be configured to be used with minimal tools.
Authentication is something that happens "pre-route", and since Apigility 1.1 it's configured per-module/API.
To get started with any of the configurable authentication schemes, click "Settings", then "Authentication":
Once here, you can create a new Authentication Adapter by click on "New adapter" button.
When done with the authentication adapter configuration, you can assign it to a specific API. You need to click on the API name (step 1), in the sidebar on the left, and choose the authentication adapter to use in the "Set authentication type" combo box (step 2).