We provide a sample policy fragment and template that can be used in the policies of APIs that enforce API management depending on whether you publish the APIs from the gateway or from the portal. Those samples only look for the API key to be sent some way (and usually as an apikey query string parameter), and then they use the Look Up API Key policy assertion to validate just it and not the secret. However, that assertion outputs an ${apiKeyRecord.secret} context variable. So, you'd just need to change the policy fragment and template to also require the API secret be sent by the API consumer, and then after using the Look Up API Key assertion, compare its value to the ${apiKeyRecord.secret}. There are many ways a consumer could send both its API key and secret, including but not limited to, using HTTP Basic Auth, HTTP headers, query string parameters, etc.