TsgcWSAPIKeyManager › Properties › Validation
How keys are extracted (header, query), transport rules (HTTPS, IP allowlist) and the FailClosed policy.
property Validation: TsgcAPIKeyValidation read FValidation write SetValidation;—
Tells the manager how clients present their keys and under what conditions requests are accepted. HeaderName (default X-API-Key) and QueryParamName (default api_key) are the two places ExtractKeyFromHeaders / ExtractKeyFromQuery look when IsRequestAuthorized runs. RequireHTTPS rejects plaintext traffic outright. IPAllowlist — when non-empty — limits key usage to the listed source IPs so a leaked key still cannot be used from outside the allowed network. FailClosed (True by default) means any request the manager cannot positively authorize is rejected; set it to False only if you want to fall through to a secondary authentication layer.
// Corporate API: HTTPS-only, allow only office egress IPs, fail closed
sgcWSAPIKeyManager1.Validation.HeaderName := 'X-API-Key';
sgcWSAPIKeyManager1.Validation.QueryParamName := 'api_key';
sgcWSAPIKeyManager1.Validation.RequireHTTPS := True;
sgcWSAPIKeyManager1.Validation.FailClosed := True;
sgcWSAPIKeyManager1.Validation.IPAllowlist.Add('203.0.113.10');
sgcWSAPIKeyManager1.Validation.IPAllowlist.Add('203.0.113.11');