membrane · christiangoerdes · Jan 5, 2026 · Jan 4, 2026 · Jan 4, 2026 · Jan 5, 2026
diff --git a/core/src/main/java/com/predic8/membrane/core/cli/RouterCLI.java b/core/src/main/java/com/predic8/membrane/core/cli/RouterCLI.java
@@ -75,8 +75,7 @@ private static void start(String[] args) {
         if (commandLine.getCommand().getName().equals("private-jwk-to-public")) {
             privateJwkToPublic(commandLine);
         }
-        var router = getRouter(commandLine);
-        if (router instanceof DefaultRouter dr)
+        if (getRouter(commandLine) instanceof DefaultRouter dr)
             dr.waitFor();
     }
 

diff --git a/core/src/main/java/com/predic8/membrane/core/interceptor/apikey/ApiKeysInterceptor.java b/core/src/main/java/com/predic8/membrane/core/interceptor/apikey/ApiKeysInterceptor.java
@@ -14,7 +14,6 @@
 package com.predic8.membrane.core.interceptor.apikey;
 
 import com.predic8.membrane.annot.*;
-import com.predic8.membrane.core.config.spring.*;
 import com.predic8.membrane.core.exchange.*;
 import com.predic8.membrane.core.interceptor.*;
 import com.predic8.membrane.core.interceptor.apikey.extractors.*;
@@ -23,11 +22,10 @@
 import org.slf4j.*;
 
 import java.util.*;
-import java.util.stream.*;
 
 import static com.predic8.membrane.core.exceptions.ProblemDetails.*;
 import static com.predic8.membrane.core.interceptor.Outcome.*;
-import static java.util.stream.Collectors.joining;
+import static java.util.stream.Collectors.*;
 import static java.util.stream.Stream.*;
 
 /**
@@ -85,10 +83,17 @@ public String getLongDescription() {
     @Override
     public void init() {
         super.init();
-        // At the moment the beanFactory is only there when the Membrane configuration was read from XML
+
+        // Todo: Move logic into the registry
+        // The beanFactory is only there when the Membrane configuration was read from XML
         if (router.getBeanFactory() != null) {
             stores.addAll(router.getBeanFactory().getBeansOfType(ApiKeyStore.class).values());
         }
+        // For YAML configuration
+        if (router.getRegistry() != null) {
+            this.stores.addAll(router.getRegistry().getBeans(ApiKeyStore.class));
+        }
+
         stores.forEach(s -> s.init(router));
 
         // Add the default extractor if none is configured

diff --git a/...n/java/com/predic8/membrane/core/interceptor/apikey/extractors/ApiKeyHeaderExtractor.java b/...n/java/com/predic8/membrane/core/interceptor/apikey/extractors/ApiKeyHeaderExtractor.java
@@ -22,7 +22,6 @@
 import static com.predic8.membrane.core.security.ApiKeySecurityScheme.In.*;
 
 /**
- * @deprecated Set an expression like ${header['api']} on apiKey
  * @description Extracts an API key from a specific HTTP request header. By default, the header name
  * is <code>X-Api-Key</code>. If the header is present, its first value is returned as the API key.
  * <p>

diff --git a/distribution/examples/security/api-key/apikey-openapi/apis.yaml b/distribution/examples/security/api-key/apikey-openapi/apis.yaml
@@ -0,0 +1,25 @@
+# yaml-language-server: $schema=https://www.membrane-api.io/v7.0.5.json
+
+components:
+  store:
+    apiKeyFileStore:
+      location: ./demo-keys.txt
+---
+
+api:
+  port: 2000
+  specs:
+    - openapi:
+        location: fruitshop-api-v2-openapi-3-security.yml
+        validateSecurity: true
+  flow:
+    - apiKey:
+        # API keys are validated in the OpenAPI validator with validateSecurity: true. See the OpenAPI document for details.
+        required: false
+        extractors:
+          - headerExtractor:
+              name: "X-Api-Key"
+      # The API key must be extracted before the OpenAPI validator is called.
+      # Normally, the OpenAPI is validated before the flow is executed. By explicitly
+      # setting the openapiValidator to this position, the OpenAPI is validated after the apiKey plugin.
+    - openapiValidator: {}
diff --git a/...st/java/com/predic8/membrane/examples/withinternet/test/APIKeyWithOpenAPIExampleTest.java b/...st/java/com/predic8/membrane/examples/withinternet/test/APIKeyWithOpenAPIExampleTest.java
@@ -26,13 +26,15 @@
 
 public class APIKeyWithOpenAPIExampleTest extends AbstractSampleMembraneStartStopTestcase {
 
+    public static final String API_KEY_HEADER = "X-Api-Key";
+
     @Override
     protected String getExampleDirName() {
         return "security/api-key/apikey-openapi";
     }
 
     @Test
-    public void noApiKey() {
+    void noApiKey() {
         when()
             .get("http://localhost:2000/shop/v2/products")
         .then().assertThat()
@@ -41,9 +43,9 @@ public void noApiKey() {
     }
 
     @Test
-    public void noScopesGet() {
+    void noScopesGet() {
         given()
-            .header("X-Api-Key", "111")
+            .header(API_KEY_HEADER, "111")
         .when()
             .get("http://localhost:2000/shop/v2/products")
         .then().assertThat()
@@ -53,9 +55,9 @@ public void noScopesGet() {
     }
 
     @Test
-    public void noScopesPost() {
+    void noScopesPost() {
         given()
-            .header("X-Api-Key", "111")
+            .header(API_KEY_HEADER, "111")
             .contentType(APPLICATION_JSON)
             .body("""
                         {
@@ -78,9 +80,9 @@ public void noScopesPost() {
     }
 
     @Test
-    public void writeScopes() {
+    void writeScopes() {
         given()
-            .headers("X-Api-Key", "222")
+            .headers(API_KEY_HEADER, "222")
             .contentType(APPLICATION_JSON)
             .body("{\"name\": \"Mango\", \"price\": 2.79}")
         .when()