Kong · jschmid1 · Jul 11, 2024 · Aug 19, 2024 · Aug 19, 2024 · Aug 21, 2024
@@ -77,9 +77,9 @@ For more information about how to configure anonymous access, see [Anonymous Acc
 ### Create a Key
 
 {:.important}
-> **Note**: We recommend letting the API gateway autogenerate the key. Only specify it 
-yourself if you are migrating an existing system to {{site.base_gateway}}. 
-You must reuse your keys to make the migration to {{site.base_gateway}} transparent 
+> **Note**: We recommend letting the API gateway autogenerate the key. Only specify it
+yourself if you are migrating an existing system to {{site.base_gateway}}.
+You must reuse your keys to make the migration to {{site.base_gateway}} transparent
 to your consumers.
 
 {% navtabs %}
@@ -303,3 +303,71 @@ No API key is provided. | No | 401
 The API key is not known to {{site.base_gateway}} | No | 401
 A runtime error occurred. | No | 500
 
+
+### Externalized Consumers
+
+-- Dummy/Link that points to Konnect Docs when ready.
+
+With the `pool_id` you obtained from the previous step, you can configure the key-auth plugin to validate API keys against the Identity Service.
+
+#### Configuring Multiple Pools
+
+In the key-auth plugin configuration, add the `pools` option as shown below:
+
+```yaml
+pools:
+  - geo: us
+    id: <the_pool_id_you_got_in_step_1>
+    type: remote
+  - geo: null
+    id: null
+    type: local
+```
+
+The order in which you configure the pools dictates the priority in which the dataplane attempts to authenticate the provided API keys.
+
+In the example above, if the remote pool is listed first, the dataplane will first reach out to the identity service and, if necessary, subsequently to the local pool.
+
+Alternatively, you can configure the local pool first:
+
+```yaml
+pools:
+  - geo: null
+    id: null
+    type: local
+  - geo: us
+    id: <the_pool_id_you_got_in_step_1>
+    type: remote
+```
+
+In this configuration, the dataplane will initially check the local pool (LMDB) before querying the remote Identity Service.
+
+If a matching key is found in any of these pools, the request will be authenticated. If the key is not found in any of the configured pools, the request will be blocked.
+
+#### Configuring Single Pools
+
+It is also possible to configure only a single pool, either local or remote. However, only one of each type can be configured.
+
+To configure only a remote pool:
+
+```yaml
+pools:
+  - geo: us
+    id: <the_pool_id_you_got_in_step_1>
+    type: remote
+```
+
+In this case, the dataplane will only attempt to authenticate API keys against the remote Identity Service.
+
+To configure only a local pool:
+
+```yaml
+pools:
+  - geo: null
+    id: null
+    type: local
+```
+
+In this scenario, the dataplane will only check the local pool (LMDB) for API key authentication.
+
+In both cases, if the API key is not found in the configured pool, the request will be blocked.