Skip to content

API Management

Components

Component Description
API gateway
    Endpoint that:
    • Accepts API calls and routes them to the backend
    • Verifies API keys, JWT tokens, certificates, and other credentials
    • Enforces usage quotas and rate limits
    • Transforms your API on the fly without code modifications
    • Caches backend responses where set up
    • Logs call metadata for analytics purposes
Azure portal
    Administrative interface where you set up your API program:
    • Define or import API schema
    • Package APIs into products
    • Set up policies such as quotas or transformations on the APIs
    • Get insights from analytics
    • Manage users
Developer portal
    Main web presence for developers:
    • Read API documentation
    • Try out an API via the interactive console
    • Create an account and subscribe to get API keys
    • Access analytics on their own usage

Authentication

Subscriptions and Keys

Subscriptions Used to segment the access levels to an API
Subscription keys
  • Form the authorization to enable access to subscriptions
  • Whenever a client makes a request to a protected API, they must include a valid subscription key in the HTTP request or the call will be rejected
    • A subscription key is a unique auto-generated key that can be passed through in the headers of the client request or as a query string parameter
    • The default header name is Ocp-Apim-Subscription-Key, and the default query string is subscription-key
    • Example: curl --header "Ocp-Apim-Subscription-Key: <key string>" https://<apim gateway>.azure-api.net/api/path
  • Every subscription has two keys, a primary and a secondary (useful for rotation)
Subscription scopes
  • All APIs: Applies to every API accessible from the gateway
  • Single API: Applies to a single imported API and all of its endpoints
  • Product: A product is a collection of one or more APIs that you configure in API Management

Client certificates

  • Certificates can be used to provide TLS mutual authentication between the client and the API gateway.
  • With TLS client authentication, the API Management gateway can inspect the certificate contained within the client request and check for properties like:
Property Reason
Certificate Authority (CA) Only allow certificates signed by a particular CA
Thumbprint Allow certificates containing a specified thumbprint
Subject Only allow certificates with a specified subject
Expiration Date Only allow certificates that have not expired