---
title: "Installation"
slug: "apigee-installation"
updated: 2025-10-28T11:38:13Z
published: 2025-10-28T11:38:13Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://docs.plainid.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Installation

## Prerequisites

- An Apigee API proxy.
- An Apigee Environment that you can use to deploy your API proxies and Shared Flows.
- Permissions on Apigee to create and update Shared Flows, and connect them to API proxies.
- PlainID Apigee Authorizer, downloaded from the Platform.

## Obtaining the Apigee Authorizer

Click [here](/api-authorizers) to learn how to create an Authorizer on the Platform.

          Important

          

Ensure that you follow these instructions closely, replace placeholder values with actual values, and verify that all the XML parameters, URLs, and other configuration details are accurate for your specific setup

## Installing the Apigee Authorizer

### Creating a Shared Flow

1. Access the Apigee section through the Google Cloud console.
2. Click on the **Navigation Menu** at the top left.
3. Hover over Apigee and click on **Shared Flows**.
4. Click **Upload Bundle**
5. Select the PlainID Authorizer bundle you downloaded from the Platform.
6. Click on **Create**.

*It's recommended that you use a Shared Flow name which shares the Authorizer Name that was downloaded from the Platform for easier management.*

### Updating a Shared Flow

After the **Shared Flow** is created, the **Shared Flow Details **page appears.

1. Click **DEVELOP**.
2. Click **call-pdp** (under **Policies**).
3. Update the `pdpEndpointV5` property according to the following instructions:
  - If using the Platform Cloud PDP:  

Set the `pdpEndpointV5` to `/api/runtime/5.0/decisions/permit-deny`
  - If using the PlainID Authorization Agent PDP (Customer hosted):  

Set the `pdpEndpointV5` to `/runtime/5.0/decisions/permit-deny`
4. Save the changes and deploy.

### call-pdp.xml Samples

**PDP as part of the Platform**:

```
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Javascript continueOnError="false" enabled="true" timeLimit="2000" name="call-pdp">
  <DisplayName>call-pdp</DisplayName>
  <IncludeURL>jsc://URI.js</IncludeURL>
  <IncludeURL>jsc://parse-headers.js</IncludeURL>
  <IncludeURL>jsc://parse-body.js</IncludeURL>
  <ResourceURL>jsc://call-pdp.js</ResourceURL>
  <Properties>
    <Property name="pdpEndpointV5">/api/runtime/5.0/decisions/permit-deny</Property>
    <Property name="authorizerVersion">1.3.4</Property>
  </Properties>
</Javascript>
```

**PDP as part of the PAA (Customer hosted)**:

```
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Javascript continueOnError="false" enabled="true" timeLimit="2000" name="call-pdp">
  <DisplayName>call-pdp</DisplayName>
  <IncludeURL>jsc://URI.js</IncludeURL>
  <IncludeURL>jsc://parse-headers.js</IncludeURL>
  <IncludeURL>jsc://parse-body.js</IncludeURL>
  <ResourceURL>jsc://call-pdp.js</ResourceURL>
  <Properties>
    <Property name="pdpEndpointV5">/runtime/5.0/decisions/permit-deny</Property>
    <Property name="authorizerVersion">1.3.4</Property>
  </Properties>
</Javascript>
```

### Connecting the Shared Flow to an API Proxy:

1. In the left pane on the Apigee Admin console, select **API Proxies**.
2. Select the API Proxy to protect.
3. Go to the **Develop** tab.
4. In Policies click **Add Policy**.
5. Select the `Flow Callout` policy.
6. Name it and give it a display name (e.g., FC-authz-apigee).
7. Choose the Shared Flow from the previous step.
8. Click **Create**.

### Update the Policy Configuration

1. Select the policy you just created.
2. In the code editor, update the XML `Parameters` section.

**XML Code for Adding a Policy to the API Proxy PreFlow**:

```
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<FlowCallout continueOnError="false" enabled="true" name="FC-3ch0-1.3.4">
  <DisplayName>FC-3ch0-1.3.4</DisplayName>
  <Parameters>
    <Parameter name="pdpUrl" value="https://acme-corp-finance.us1.plainid.io"/>
    <Parameter name="clientId" value="PQ2OUNHDCCCCQ9CDKU13"/>
    <Parameter name="clientSecret" value="vm4jMLCCCCCCsM5N9a46ATYc1InHO31W7537EEEEE"/>
    <Parameter name="authorizerId" value="CCsM5N9a46ATYc1InHO3"/>
    <Parameter name="headerKeysCaseHandling" value="uppercase"/>
    <Parameter name="headerValuesCaseHandling" value="uppercase"/>
    <Parameter name="ignoreHeadersValueTransformation" value="Authorization"/>
   <Parameter name="runtimeFineTune">{"includeIdentity": "true"}</Parameter>
  </Parameters>
  <SharedFlowBundle>3ch0-authz-1.3.4</SharedFlowBundle>
</FlowCallout>
```

#### Configuration Parameters Details

| Parameter Name | Description | Example |
| --- | --- | --- |
| pdpUrl | URL of the component installed in the Platform | https://acme-corp-finance.us1.plainid.io |
| clientId | The Client ID from the corresponding environment, application, and scope in PlainID | PQ2OUNHDCCCCQ9CDKU13 |
| clientSecret | The Client Secret from the corresponding environment, application, and scope in PlainID | vm4jMLCCCCCCsM5N9a46ATYc1InHO31W7537EEEEE |
| authorizerId | The Authorizer ID from the API Authorizers tab in your environment | APJJIUH1BFLOWOW |

#### Optional Header Parameters

| Parameter Name | Description | Default | Options |
| --- | --- | --- | --- |
| headerKeysCaseHandling | Determines whether the authorizer should alter the header keys case. | lowercase | Value 1: `uppercase` Value 2: `lowercase` |
| headerValuesCaseHandling | Determines if changing the key name, the value, or both. | preserveCase | Value 1: `uppercase` Value 2: `lowercase` Value 3: `preserveCase` |
| ignoreHeadersValueTransformation | Determines which headers to ignore when handling the case. | `Authorization` | Example: "Authorization, header1, header2" |
| runtimeFineTune | This parameter can be leveraged to fine-tune the PDP calculation with additional supported request properties. Refer to our [Authorization APIs documentation](https://docs.plainid.io/v1-api) for more details on potential properties. This parameter should be passed as a JSON string with the relevant PDP properties and values. | If a config key is not added, the default is an empty parameter: `"meta": {` `"runtimeFineTune": {}` `}` | Example 1: `{` `...` `"meta": {` `"runtimeFineTune" : {` `"includeIdentity": "true",` `}` `}` `}` Example 2: `{"entityAttributes": {"region": ["US"]},"combinedMultiValue": true}` |

### Adding the Policy to the PreFlow

1. Under Proxy endpoints, select `PreFlow`.
2. Click **Add Policy Step**.
3. Select the Policy you created in the previous step.
4. Click **Add**.
5. **Save** and **Deploy** the changes.

#### Example of Modified XML Code with Added Parameters

```
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<FlowCallout continueOnError="false" enabled="true" name="Flow-Callout-PlainID-AuthZ">
    <DisplayName>Flow-Callout-PlainID-AuthZ</DisplayName>
    <FaultRules/>
    <Properties/>
    <SharedFlowBundle>shared-flow-plainid-authz</SharedFlowBundle>
    <Parameters>
        <Parameter name="pdpUrl" value="https://acme-financing.us1.plainid.io"/>
        <Parameter name="clientId" value="PABCDYDO123J1T36MRMU"/>
        <Parameter name="clientSecret" value="IVJqT21234wfhzqAbcdQpogn1234568zlWVveESzH"/>
        <Parameter name="headerKeysCaseHandling" value="lowercase"/>
       <Parameter name="headerValuesCaseHandling" value="preserveCase"/>
       <Parameter name="ignoreHeadersValue Transformation" value="Authorization"/>
       <Parameter name="runtimeFineTune">{"includeIdentity": "true"}</Parameter>
    </Parameters>
</FlowCallout>
```

Once these steps are completed, the requests to the API proxy will be authorized by PlainID through the Authorizer.

#### Storing Settings and Credentials

You can use the Apigee Key Value Maps to securely store different configurations/Attributes (clientSecret, clientId, etc.).