Fix formatting

docs/howto-guides.md

@@ -1,7 +1,9 @@
 # How-to Guides
 
 ## Configure Identity and Access Management
+
 TBD
 
 ### Run Keycloak and Open Policy Agent
+
 TBD

docs/tutorials.md

@@ -3,10 +3,10 @@
 ## Authentication and Authorization
 
 !!! tip "Familiarize with the topic"
-    If you don't have prior experience with the topic, we recommend reading [Authentication and Authorization in Applications](https://www.permit.io/blog/authentication-vs-authorization), which is a really good introduction on the difference between Authentication and Authorization that helps you understand how they focus on two different purposes.
+If you don't have prior experience with the topic, we recommend reading [Authentication and Authorization in Applications](https://www.permit.io/blog/authentication-vs-authorization), which is a really good introduction on the difference between Authentication and Authorization that helps you understand how they focus on two different purposes.
 
 This tutorial aims to guide the user to configure **fastgeoapi** with a mechanism that fits with your security requirements.
-The tool supports different security schemes for [OGC APIs](https://ogcapi.ogc.org/) served by [pygeoapi](https://pygeoapi.io) and allows optionally to enable a coarse or fine-grade authorization for a *collection* and the endpoints based on user needs and use cases.
+The tool supports different security schemes for [OGC APIs](https://ogcapi.ogc.org/) served by [pygeoapi](https://pygeoapi.io) and allows optionally to enable a coarse or fine-grade authorization for a _collection_ and the endpoints based on user needs and use cases.
 
 Supported security schemes are:
 
@@ -15,18 +15,26 @@ Supported security schemes are:
 - **OpenID Connect**: It looks like very similar to OAuth2 and in fact it is built on top of that. It allows to identify and authenticate a user in mobile and Single-Page Application (SPA).
 
 !!! note "OAuth2 vs OpenID Connect"
-    It is beneficial to clarify that they serve two different purposes. [OAuth2](https://en.wikipedia.org/wiki/OAuth) is a framework for *Authorization* while [OpenID Connect](https://openid.net/developers/how-connect-works/) is a protocol for *Authentication*. If you would like to develop further the concepts then [this]() is an appropriate read.
+It is beneficial to clarify that they serve two different purposes. [OAuth2](https://en.wikipedia.org/wiki/OAuth) is a framework for _Authorization_ while [OpenID Connect](https://openid.net/developers/how-connect-works/) is a protocol for _Authentication_. If you would like to develop further the concepts then [this]() is an appropriate read.
 
 ## Configure and protect pygeoapi
 
-The protection mechanisms introduced above are mutually exclusive and they apply to the whole `pygeoapi` application that is wrapped by *fastgeoapi*.
+The protection mechanisms introduced above are mutually exclusive and they apply to the whole `pygeoapi` application that is wrapped by _fastgeoapi_.
 The configuration happens in the `.env` file where the environment variables for development and production are defined. As explained in the [getting-started](getting-started.md) section their prefix identifies the target environment (i.e. `DEV_` vs `PROD_`). Let's go through the different mechanisms.
 
-Please make sure to have cloned the [repo](https://github.com/geobeyond/fastgeoapi) before starting the following section.
+Please make sure to have cloned the [repo](https://github.com/geobeyond/fastgeoapi) before starting the following sections.
 
 ### API KEY
 
-TBD
+The configuration can be controlled with these two settings:
+
+```yml
+# api-keys
+DEV_API_KEY_ENABLED=false
+DEV_PYGEOAPI_KEY_GLOBAL=pygeoapi
+```
+
+Setting `DEV_API_KEY_ENABLE` to `true` is the way to enable a flat protection to the whole `pygeoapi` sub-application. The value sets in the `DEV_PYGEOAPI_KEY_GLOBAL` is the secret key that must be used in the Header `X-API-KEY` to consume the API.
 
 ### OAuth2