Home / Dev Portal
Edit
Report

API catalog

Uses: Catalog Dev Portal
Related Documentation
Catalog Documentation
OpenAPI Specifications
Konnect API Catalog
Incompatible with
on-prem
Tags
#api-catalog
Related Resources
Automate your API catalog with the Konnect API
Developer self-service and app registration
Package APIs with Dev Portal
API packages reference

This is a reference guide, you can also follow along with our tutorials:

An API is the interface that you publish to your end customer. They can, and should, include an OpenAPI or AsyncAPI specification or additional documentation to help users get started with your API.

Additionally, you can link your API to a Gateway Service to allow developers to register applications for your specific APIs.

To create an API, do one of the following:

Navigate to Catalog > APIs in the sidebar, and then click New API.

API versions

When you create an API, you can optionally specify the version as a free text string.

While you can use any version style, we recommend the following:

  • Semantic versioning (for example 1.0.0, 2.1.0) is best supported for default ordering
  • Create a unique API for each major version, since APIs must be unique based on the combination of name + version

The API slug determines Dev Portal URL routing in your list of APIs, which defaults to a name and version (major version if semantic versioning) in slug form. For example, if your API is named my-test-api and the version is 3, this will default to my-test-api-3. If a version isn’t specified, then name is used as the unique identifier.

API specification versions

If you upload OpenAPI or AsyncAPI specifications when you create the API, the API version will default to and be constrained by the version in the specification. You can specify multiple versions of API specifications in the API entity. Ideally, use multiple versions of API specs for minor versions of an API. When multiple versions are specified, a selector displays in the generated API reference to switch between versions of the API specification.

The API entity’s version property is treated as “current”, meaning it is the version that will be listed in your list of APIs.

To version an API, do one of the following:

  1. In the Konnect sidebar, click Catalog.
  2. Click New API.
  3. Enter a version in the API version field, or upload an API specification, which will set the version to match the API spec version.

You can also add versions to existing APIs when you edit them if they aren’t associated with an API specification. To manage multiple versions of the API specification, do the following:

  1. In the Konnect sidebar, click Catalog.
  2. Click your API.
  3. Click the API specification tab.
  4. From the Actions dropdown menu, select “Add or update API spec”.
  5. If a newer version is in the API specification, you will be prompted to add a new version and set the current version.

API spec validation

All API specification files are validated during upload, although invalid specifications are permitted. If specifications are invalid, features like generated documentation and search may be degraded.

Konnect looks for the following during spec validation:

  • Specs must be valid JSON or YAML.
  • Spec should be valid according to the OpenAPI 2.0, 3.0.x, or 3.1.x specification or the AsyncAPI 2.x or 3.0.0 specification.
    • OAS validation is performed using Spectral.
    • To replicate validation in your own CI/CD pipeline, run spectral lint [spec.yaml] .spectral.yaml, where .spectral.yaml should contain the following:
      • OpenAPI spectral.yaml: Should contain extends: "spectral:oas".
      • AsyncAPI spectral.yaml: Should contain extends: "spectral:asyncapi".
  • Invalid specs are permitted (with potential degraded experience), and validation_messages captures any validation issues.

API documentation

API documentation is content in Markdown that you can use to provide additional information about your API.

While you are creating or editing an API document, you can also choose to publish it and make it available in your Dev Portal (assuming all parent pages are published as well). Keep the following in mind:

  • The visibility of an API document is inherited from the API’s visibility and access controls.
  • If a parent page is unpublished, all child pages will also be unpublished.
  • If no parent pages are published, no API documentation will be visible, and the APIs list will navigate directly to generated specifications.

To create a new API document, do one of the following:

Navigate to Catalog > APIs in the sidebar and click your API. Click the Documentation tab, and then click New document. You can either upload your documentation as an existing a Markdown file or create a new document.

Page structure

The slug and parent fields create a tree of documents, and build the URL based on the slug/parent relationship. This document structure lives under a given API:

  • Page name: The name used to populate the title in the front matter of the Markdown document
  • Page slug: The slug used to build the URL for the document within the document structure
  • Parent page: When creating a document, selecting a parent page creates a tree of relationships between the pages. This allows for effectively creating categories of documentation.

For example, if you had a document configured like the following:

  • API slug: routes
  • API version: v3
  • Page 1: about, parent null
  • Page 2: info, parent about

Based on this data, you get the following generated URLs:

  • Generated URL for about page: /apis/routes-v3/docs/about
  • Generated URL for info page: /apis/routes-v3/docs/about/info

API image

You can upload an image for your API. The image is displayed as an icon for your API in any Dev Portal where the API is published. The image must be a PNG, JPG, or SVG image under 500 KB that’s no larger than 350 × 350 pixels.

To upload an API image, do the following:

  1. In the Konnect sidebar, click Catalog.
  2. In the Catalog sidebar, click APIs.
  3. Click the API you want to add the image to.
  4. From the action menu, select “Edit”.
  5. Click Upload image and upload an image.

Allow developers to consume your API

You can link to a Konnect Gateway Service v3.6+ or control plane v3.13+ to allow developers to create applications and generate credentials or API keys.

When you link an API to a Gateway, you have two options:

These plugins are responsible for applying authentication and authorization on the Gateway Service or control plane. The authentication strategy that you select for the API defines how clients authenticate.

The following table can help you decide which option to pick:

Option

KAA plugin

ACE plugin
Scope Linked to a single Gateway Service Linked to an entire control plane
Plugin applied… Automatically on the Gateway Service linked to the API Manually
Managed by… Konnect. You can only modify it by configuring JSON in the advanced configuration for your application auth strategy. You, by manually configuring the plugin.
Kong Gateway version 3.6 or later 3.13 or later
Can be used with declarative configuration No, because the plugin is applied automatically Yes, because you must configure the plugin
Can be used with API packages No Yes

Do not configure the KAA and ACE plugins on the same control plane because their overlapping interactions can be unpredictable.

The following diagram shows how the plugins manage authorization and authentication on the linked Service or control plane:

 
sequenceDiagram
    actor Client
    Client->>Kong: 
    Kong->>Auth plugins: Send request
    Auth plugins->>Auth plugins: Run configured auth plugins (like Key Auth)

    note right of Auth plugins: ACE runs after all other auth plugins.
If a prior plugin rejects the request, ACE does not run.

    Auth plugins->>ACE plugin: Forward request

    alt Request matches a defined operation
        ACE plugin->>ACE plugin: Authenticate and authorize request
using data pushed from Konnect
        ACE plugin->>Upstream: Forward authorized request
        Upstream-->>ACE plugin: Response
        ACE plugin-->>Kong: 
        Kong-->>Client: 
    else `match_policy: if_present` (no match)
        ACE plugin-->>Kong: Pass through untouched
        Kong-->>Client: 
        note right of ACE plugin: If anonymous is set, unauthenticated requests
also pass through. Use Request Termination
to block them if needed.
    else `match_policy: required` (no match)
        ACE plugin-->>Kong: Reject with 404
        Kong-->>Client: 404
    end

If you want the Gateway Service or control plane to restrict access to the API, configure developer and application registration for your Dev Portal.

To link your API to a Gateway Service or control plane, do one of the following:

  1. In the Konnect sidebar, click Catalog.
  2. From the Catalog sidebar, click APIs.
  3. Click your API.
  4. Click the Gateway tab.
  5. Click Link gateway.
  6. From the Control plane dropdown menu, select your control plane.
  7. Select the Gateway link type:
    1. To link to a single Service on the control plane and use the KAA plugin, click Link to a single gateway service and select the Service you want to link to from the Gateway service dropdown menu.
    2. To link to the control plane and use the ACE plugin, click Link to a control plane and add the ACE plugin by clicking Add plugin.
  8. Click Link gateway.

Publish your API to Dev Portal

Publishing an API makes it available to one or more Dev Portals. Publishing an API in the Dev Portal involves several steps:

  1. Create a new API, including the API version.
  2. Upload an OpenAPI spec and/or markdown documentation (one of these is required to generate API docs).
  3. If you want developers to consume the API in a self-serve way, link the API to a Gateway Service.
  4. Publish the API to a Portal and apply an auth strategy. Publishing an API requires you to have the Product Publisher Konnect role.
  • The visibility of pages and menus is configured independently from APIs, maximizing your flexibility.
  • v3.6+ An API must be linked to a Konnect Gateway Service to be able to restrict access to your API with authentication strategies.

With the appropriate security and access and approval settings, you can publish an API securely to the appropriate audience. The following table describes various Dev Portal access control scenarios and their settings:

Access use case

Visibility

Authentication strategy

User authentication

Description
Viewable by anyone, no self-service credentials Public Disabled Disabled in security settings Anyone can view the API’s specs and documentation, but cannot generate credentials and API keys. No developer registration is required.
Viewable by anyone, self-service credentials Public key-auth (or any other appropriate authentication strategy) Enabled in security settings Anyone can view the API’s specs and documentation, but must sign up for a developer account and create an Application to generate credentials and API keys.

RBAC is disabled if fine-grained access management is not needed, configured in security settings.
Viewable by anyone, self-service credentials with RBAC Public key-auth (or any other appropriate Authentication strategy) Enabled in security settings Anyone can view the API’s specs and documentation, but must sign up for a developer account and create an Application to generate credentials and API keys.

A Konnect Admin must assign a developer to a Team to provide specific role-based access. RBAC is enabled to allow Teams assignments for developers, granting credentials with the API Consumer role.
Sign up required to view API specs and/or documentation Private key-auth (or any other appropriate Authentication strategy) Enabled in security settings All users must sign up for a Developer account to view APIs. They can optionally create an Application to generate credentials/API keys.

RBAC can be enabled for Teams assignments for developers, granting credentials with the API Consumer role, configured in security settings.

To publish your API, do one of the following:

Navigate to Catalog > APIs and click your API. Click the Portals tab, and then click Publish API.

Once published, the API appears in the selected Dev Portal. If user authentication is enabled, developers can register, create applications, generate credentials, and begin using the API. If RBAC is enabled, approved developers must be assigned to a team to access the API.

Allow developers to try requests from the Dev Portal spec renderer

When you upload a spec for your API to Dev Portal, you can use the Try it! feature to allow developers to try your API right from Dev Portal. Try it! enables developers to add their authentication credentials, path parameters, and request body from the spec renderer in Dev Portal and send the request with their configuration.

The Try it! feature is enabled by default for published APIs. You can disable it by sending a PATCH request to the /v3/portals/{portalId}/customization endpoint.

You may need to enable the CORS plugin for this feature to work. Use the table below to determine the appropriate CORS configuration based on the Routes associated with your APIs:

Use case Headers used Route configuration CORS configuration
Simple request None No special configuration needed No CORS configuration required
Requests with any headers Any header Add methods: OPTIONS to any associated Routes that use the headers. Enable Try it in Dev Portal for requests with any header
Routes configured with a header to match Any header that is required by the request Do one of the following:
  • Add a new Route at the same path with methods: OPTIONS configured.
  • Add a global Route (a Route that isn’t associated with a Service) at the Control Plane-level with methods: OPTIONS configured (no path needs to be specified).
 Enable Try it in Dev Portal for requests with any header

When using OAuth2 flows, some IdPs may require including additional parameters for token requests. You can include the x-kong-client-credentials-config property in oauth2 type securitySchemes to allow users to input specific values for predefined parameters.

For example, this configuration allows spec renderer users to specify a custom audience value that is specific to their request:

components:
  securitySchemes:
    oauth2:
      type: oauth2
      x-kong-client-credentials-config:
        extraTokenRequestParameters:
          - name: audience
            label: Audience
            description: The audience of the authorization server to scope tokens to
            omitIfEmpty: true
            required: true
      flows:
        clientCredentials:
          tokenUrl: 'https://example.com/oauth/token'

Filtering published APIs in Dev Portal

You can filter and categorize published APIs on your Dev Portals with custom attributes. By assigning attributes to an API, this allows users to filter APIs in the Dev Portal sidebar. For an API, you can define one or more custom attributes, and each attribute can have one or more values. For example, if you had a Billing API, you could label it with "visibility": ["Internal"] and "platform": ["Web", "Mobile"].

For more information about how to use custom attributes for filtering APIs displayed in your Dev Portal, see the MDC documentation.

FAQs

I’m using the Try it feature in the spec renderer to send requests from Dev Portal, but I’m getting a 401. How do I fix it?

If the published API has an authentication strategy configured for it, you must include your key in the request. All requests without a key to the Service linked to the API are blocked if it is published with an auth strategy.

I just edited or deleted my spec, document, page, or snippet. Why don’t I immediately see these changes live in the Dev Portal?

If you recently viewed the related content, your browser might be serving a cached version of the page. To fix this, you can clear your browser cache and refresh the page.

How do I allow developers to view multiple versions of an API in the Dev Portal?

Use the /apis/{apiId}/versions endpoint to publish multiple versions of an API. Developers can then select which API version to view in the Dev Portal spec renderer. Each version reflects how the endpoints were documented at a specific time. It doesn’t reflect the actual implementation, which will usually align with the latest version. Changing the version in the dropdown only changes the specs you see. It does not change the requests made with application credentials or app registration.

There are two exceptions when the underlying implementation should match the selected version:

  • With Dev Portal app registration: If non-current versions have Route configurations that allow requests to specify the version in some way, each version must document how to modify the request to access the given version (for example, using a header).
  • Without Dev Portal app registration: If the version can be accessed separately from other versions of the same API, each version must document how to modify the request to access the given version.

Why don’t I see API Products in my Konnect sidebar?

API Products were used to create and publish APIs to classic (v2) Dev Portals. When the new (v3) Dev Portal was released, the API Products menu item was removed from the sidebar navigation of any Konnect organization that didn’t have an existing API product. If you want to create and publish APIs, you can create a new (v3) Dev Portal. To get started, see Automate your API catalog with the Konnect API.

My team has a Dev Portal, why can’t I see APIs?

You need additional permissions to see APIs. See the Catalog APIs roles for more information.

How can agents consume documentation published in a Dev Portal?

When you send a request to any Dev Portal URL using the Accept: text/markdown header or adding .md to the URL (for example, /guides/flights as /guides/flights.md), it will return LLM-friendly markdown instead of HTML.

For example:

curl https://portal.kongair.dev/guides/flights \
  -H "Accept: text/markdown"

Application registration auto approve is disabled for my Dev Portal, can I override this for APIs or API packages?

Yes, when the Dev Portal auto approve application registration setting is disabled, you can override this on a per-API and API package basis. You can do this via the UI, API, or Terraform:

If application registration auto approval is enabled at the Dev Portal level, you cannot override it, all APIs and API packages will be set to auto approve application registrations.

Does Dev Portal support adding GraphQL endpoints to an API or API package, or setting GraphQL-specific rate limits?

No. Dev Portal doesn’t support GraphQL. The spec renderer and application registration flows are built for OpenAPI and AsyncAPI specs, and there’s no GraphQL-specific rate limiting available through Dev Portal.

Something wrong?
Report an Issue | Edit this Page
View all Kong documentation

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!
Contribute

Still need help?

Ask in our Slack Community
Contact Support