Documentation Index

Fetch the complete documentation index at: https://docs.plainid.io/llms.txt

Use this file to discover all available pages before exploring further.

Installation

Prev Next

This guide walks you through installing and configuring the PlainID Apigee Authorizer, which enables policy-based authorization for your Apigee API proxies via PlainID's PDP. The process involves creating a Shared Flow, configuring it with your PDP endpoint, and connecting it to your API proxy's PreFlow.

Prerequisites

  • An Apigee API proxy.
  • An Apigee Environment that you can use to deploy your API proxies and Shared Flows.
  • Permissions on Apigee to create and update Shared Flows, and connect them to API proxies.
  • PlainID Apigee Authorizer, downloaded from the Platform.

Obtaining the Apigee Authorizer

Click here to learn how to create an Authorizer on the Platform.

Important

Ensure that you follow these instructions closely, replace placeholder values with actual values, and verify that all the XML parameters, URLs, and other configuration details are accurate for your specific setup

Installing the Apigee Authorizer

Creating a Shared Flow

  1. Access the Apigee section through the Google Cloud console.
  2. Click on the Navigation Menu at the top left.
  3. Hover over Apigee and click on Shared Flows.
  4. Click Upload Bundle
  5. Select the PlainID Authorizer bundle you downloaded from the Platform.
  6. Click on Create.

It's recommended that you use a Shared Flow name which shares the Authorizer Name that was downloaded from the Platform for easier management.

Updating a Shared Flow

After the Shared Flow is created, the **Shared Flow Details **page appears.

  1. Click DEVELOP.
  2. Click call-pdp (under Policies).
  3. Update the pdpEndpointV5 property according to the following instructions:
     
    • If using the Platform Cloud PDP:
      Set the pdpEndpointV5 to /api/runtime/5.0/decisions/permit-deny

    • If using the PlainID Authorization Agent PDP (Customer hosted):
      Set the pdpEndpointV5 to /runtime/5.0/decisions/permit-deny
  4. Save the changes and deploy.

call-pdp.xml Samples

PDP as part of the Platform:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Javascript continueOnError="false" enabled="true" timeLimit="2000" name="call-pdp">
  <DisplayName>call-pdp</DisplayName>
  <IncludeURL>jsc://URI.js</IncludeURL>
  <IncludeURL>jsc://parse-headers.js</IncludeURL>
  <IncludeURL>jsc://parse-body.js</IncludeURL>
  <ResourceURL>jsc://call-pdp.js</ResourceURL>
  <Properties>
    <Property name="pdpEndpointV5">/api/runtime/5.0/decisions/permit-deny</Property>
    <Property name="authorizerVersion">1.3.4</Property>
  </Properties>
</Javascript>

 
PDP as part of the PAA (Customer hosted):

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Javascript continueOnError="false" enabled="true" timeLimit="2000" name="call-pdp">
  <DisplayName>call-pdp</DisplayName>
  <IncludeURL>jsc://URI.js</IncludeURL>
  <IncludeURL>jsc://parse-headers.js</IncludeURL>
  <IncludeURL>jsc://parse-body.js</IncludeURL>
  <ResourceURL>jsc://call-pdp.js</ResourceURL>
  <Properties>
    <Property name="pdpEndpointV5">/runtime/5.0/decisions/permit-deny</Property>
    <Property name="authorizerVersion">1.3.4</Property>
  </Properties>
</Javascript>

Connecting the Shared Flow to an API Proxy:

  1. In the left pane on the Apigee Admin console, select API Proxies.
  2. Select the API Proxy to protect.
  3. Go to the Develop tab.
  4. In Policies click Add Policy.
  5. Select the Flow Callout policy.
  6. Name it and give it a display name (e.g., FC-authz-apigee).
  7. Choose the Shared Flow from the previous step.
  8. Click Create.

Update the Policy Configuration

  1. Select the policy you just created.
  2. In the code editor, update the XML Parameters section.

XML Code for Adding a Policy to the API Proxy PreFlow:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<FlowCallout continueOnError="false" enabled="true" name="FC-3ch0-1.3.4">
  <DisplayName>FC-3ch0-1.3.4</DisplayName>
  <Parameters>
    <Parameter name="pdpUrl" value="https://acme-corp-finance.us1.plainid.io"/>
    <Parameter name="clientId" value="PQ2OUNHDCCCCQ9CDKU13"/>
    <Parameter name="clientSecret" value="vm4jMLCCCCCCsM5N9a46ATYc1InHO31W7537EEEEE"/>
    <Parameter name="authorizerId" value="CCsM5N9a46ATYc1InHO3"/>
    <Parameter name="headerKeysCaseHandling" value="uppercase"/>
    <Parameter name="headerValuesCaseHandling" value="uppercase"/>
    <Parameter name="ignoreHeadersValueTransformation" value="Authorization"/>
   <Parameter name="runtimeFineTune">{"includeIdentity": "true"}</Parameter>
  </Parameters>
  <SharedFlowBundle>3ch0-authz-1.3.4</SharedFlowBundle>
</FlowCallout>

Configuration Parameters Details

Parameter Name Description Example
pdpUrl URL of the component installed in the Platform https://acme-corp-finance.us1.plainid.io
clientId The Client ID from the corresponding environment, application, and scope in PlainID PQ2OUNHDCCCCQ9CDKU13
clientSecret The Client Secret from the corresponding environment, application, and scope in PlainID vm4jMLCCCCCCsM5N9a46ATYc1InHO31W7537EEEEE
authorizerId The Authorizer ID from the API Authorizers tab in your environment APJJIUH1BFLOWOW

Optional Header Parameters

Parameter Name Description Default Options
headerKeysCaseHandling Determines whether the authorizer should alter the header keys case. lowercase Value 1: uppercase

Value 2: lowercase
headerValuesCaseHandling Determines if changing the key name, the value, or both. preserveCase Value 1: uppercase

Value 2: lowercase

Value 3: preserveCase
ignoreHeadersValueTransformation Determines which headers to ignore when handling the case. Authorization Example: "Authorization, header1, header2"
runtimeFineTune This parameter can be leveraged to fine-tune the PDP calculation with additional supported request properties. Refer to our Authorization APIs documentation for more details on potential properties. This parameter should be passed as a JSON string with the relevant PDP properties and values. If a config key is not added, the default is an empty parameter:
"meta": {
"runtimeFineTune": {}
}
Example 1:
{
...
"meta": {
"runtimeFineTune" : {
"includeIdentity": "true",
}
}
}

Example 2:
{"entityAttributes": {"region": ["US"]},"combinedMultiValue": true}

JWT Propagation

Prerequisites
The Runtime Scope must have JWT response signing configured (private key, audience, expiration). Otherwise, the Runtime returns a standard JSON response and the Authorizer reverts to the standard flow.

When PROPAGATE_JWT is set to true, the Authorizer requests JWT responses from the PDP by sending accessTokenFormat: "JWT" in the request body.

The Authorizer supports both JWT wrapper responses and standard JSON responses, and automatically detects the response format. If the response contains token and code fields, the JWT flow is used and code === 200 results in an Allow decision. Otherwise, the Authorizer falls back to the standard flow using data.result === "PERMIT".

This behavior is fully backward compatible and does not affect existing integrations.

When authorization is allowed and RESPONSE_JWT_CONTEXT_KEY is configured, the JWT is added to the Apigee flow variables using the configured key, and can be referenced in downstream policies.

Parameter Name Description Default Options
PROPAGATE_JWT Requests JWT-format responses from the PDP and propagates the JWT in the Apigee flow variables on Allow. When set to true, the Authorizer sends accessTokenFormat: "JWT" in the PDP request body. false Boolean string: true or false
RESPONSE_JWT_CONTEXT_KEY Defines the key used to store the propagated JWT in the Apigee flow variables. jwtToken Optional. When configured, the JWT is added to flow variables on Allow decisions and can be referenced downstream as context.getVariable(<key>).

Adding the Policy to the PreFlow

  1. Under Proxy endpoints, select PreFlow.
  2. Click Add Policy Step.
  3. Select the Policy you created in the previous step.
  4. Click Add.
  5. Save and Deploy the changes.

Example of Modified XML Code with Added Parameters

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<FlowCallout continueOnError="false" enabled="true" name="Flow-Callout-PlainID-AuthZ">
    <DisplayName>Flow-Callout-PlainID-AuthZ</DisplayName>
    <FaultRules/>
    <Properties/>
    <SharedFlowBundle>shared-flow-plainid-authz</SharedFlowBundle>
    <Parameters>
        <Parameter name="pdpUrl" value="https://acme-financing.us1.plainid.io"/>
        <Parameter name="clientId" value="PABCDYDO123J1T36MRMU"/>
        <Parameter name="clientSecret" value="IVJqT21234wfhzqAbcdQpogn1234568zlWVveESzH"/>
        <Parameter name="headerKeysCaseHandling" value="lowercase"/>
       <Parameter name="headerValuesCaseHandling" value="preserveCase"/>
       <Parameter name="ignoreHeadersValueTransformation" value="Authorization"/>
       <Parameter name="runtimeFineTune">{"includeIdentity": "true"}</Parameter>
       <Parameter name="PROPAGATE_JWT" value="true"/>
       <Parameter name="RESPONSE_JWT_CONTEXT_KEY" value="jwtToken"/>
    </Parameters>
</FlowCallout>

Once these steps are completed, the requests to the API proxy will be authorized by PlainID through the Authorizer.

Storing Settings and Credentials

You can use the Apigee Key Value Maps to securely store different configurations/Attributes (clientSecret, clientId, etc.).

© 2026 PlainID LTD. All rights reserved.