Hey Team,
We are trying to include custom api snowplow enrichment, where we are trying to hit an API gateway in AWS which is secured by API Key. Currently snowplow api authentication supports only httpbasic authentication, is there any workaround for achieving this?
Thanks.
Hey @Goutham_R,
Unfortunately, not that I know of. Currently, as you said you can you either use HTTP Basic Auth or attach an API key as query parameter (which is also very unsecure).
Is it just an HTTP header that has to be attached to every request? Could you please create a ticket in the enrich bugtracker, explaining the desired flow of the authentication.
Maybe there’s an alternative, like proxy webserver in your subnet which receives unautheticated request from enrich EC2 node and then translates it to your original server? Feels very hacky, but best I can think of at the moment.
In addition to what @anton has mentioned, I think having this run in a private VPC (if possible) is a good idea - this would enable you to allow list connections from a certain host / CIDR as well.
At the moment the API enrichment only supports basic authentication as you’ve mentioned but if you require modifying headers or other HTTP settings then it is possible to use the Javascript enrichment to make the network call. This ensures that you can still store secrets and gives you quite granular control over the HTTP request that you make - as well as the data you are returning as contexts.
The way that we’ve best implemented this is with a bit of middleware:
Not the most straightforward process, but not terribly difficult. Huge +1 for an API key and JWT Bearer Token feature on this one!
Thanks for the suggestion Mike, let me try with custom javascript enrichment which is looks achievable.
Thanks for your reply Adam! Will try as per Mike suggested and check how it goes, if not will try as you have implemented. Thanks again for your time 
Thanks for your reply Anton! Will try out the below options, if not will raise a ticket.
Hello @mike,
do you know if it’s something possible in a future : passing api key in the header and the payload in the body?
The payload should be passed in the body already (for POST requests). In order to support an API key in the headers someone would need to add the functionality to the API enrichment (in the enrich codebase) to support attaching arbitrary headers to the request.