Debug API Key invalid authentication

Check your API Product on Apigee

Is it enabled for your environment (test vs prod)?

Is it bound to the Istio service you're accessing?

Check the Istio Services section. Remember, the service name must be a fully qualified Istio service name. For example, helloworld.default.svc.cluster.local is the helloworld service in the default namespace.

Does the Resource Path match your service's URI in Istio?

Remember, a path like / or /** will match any path. You may also use '*' or '**' wildcards for matching.

Is the API Product associated with a Developer App?

Are you using a correct Consumer Key from your Developer App?

Check your request

Are you passing the Consumer Key in your x-api-key header? Example:

curl localhost/hello -H "x-api-key: wwTcvmHvQ7Dui2qwj43GlKJAOwmo"

Check the Mixer logs

Set the Mixer policy adapter logging to debug level

See the Mixer-logging-and-metrics page on how to set up and view the logs.

Attempt to access your service and check the logs

Check the logs for a line that looks something like this:

Resolve api: helloworld.default.svc.cluster.local, path: /hello, scopes: [scope1 scope2]
Selected: [helloworld]
Eliminated: [helloworld2 doesn't match path: /hello]

This should give you the information you need as to why your request was rejected.