In this blog post, we will see one of the ways to secure your Azure Functions using API keys. Security plays a key role as part of SDLC (Software Development Life Cycle) doesn't matter whether it's exposed to the client/public or even if it's internal. There are multiple ways to secure your Azure Functions like API Keys, Certificate, API Mgmt, App Service Authentication, etc. If you are new to the Cloud and Azure Functions but want to make a start with minimal effort and less setup of Infrastructure, then API Keys is the ideal choice.
Azure Functions allows you to secure HTTP-triggered functions by API access key in the request. As part of creating new Azure Functions, we can select the Authorization Level enum value. If we set the Authorisation level to Anonymous, no security applied which means no authentication applied for the endpoint.
Authorization Level - Function
 |
| Authorization Level - Function |
 |
| Function Keys |
Using Postman let's quickly verify. As part of the request passing in the header API Key value for the header name "x-functions-key" should work for us. As mentioned above you can verify the same using custom API keys or Host key as well.
 |
| Verify using Postman Note: The Function level should be used if you want to give other systems or users access to this specific Azure Function in your deployment. |
Authorization Level - Admin
 |
| Authorization Level - Admin |
From the Azure Portal we can set Admin API Keys for all Azure Functions as shown below. Using Postman you can verify the request by passing in the header API Key value for the header name "x-functions-key" should work for us.  |
| Authorization Level - Admin |