Is it a must that Subscription Key sent as part of the request when call through API Managment? is there a way to disable this option?
Create a new product and uncheck "Require subscription" in its settings. Any API added to such product will be callable without a key, i.e. anonymously.
Related
I want to using access token to manage user who want to access my api on APIm and remove subscription key. Can we do that?
Both of them are header-based authentication but in Oauth the platform will provide the access token instead of you going to portal and getting the subscription key.
Refer the following documentation for more indepth explanation.
On the settings tab there is a setting to disable the API key called subscription required:
Adding JWT token validation can be added through a policy. There are examples in the documentation:
https://learn.microsoft.com/en-us/azure/api-management/api-management-access-restriction-policies#ValidateJWT
I would like to avoid providing Subscription Key for a single endpoint in my API. So far I found that I can disable Subscription for whole Product or API, which is not what I want. Is this even possible?
The only way which comes to my mind is another API and Product with exposed inly this single endpoint (obviously without subscription).
Summarize from the comments, currently we can't implement your requirement of disable "subscription" for one endpoint of api in APIM.
The workaround is what you mentioned to create another api or product for the endpoint and disable the "subscription".
And another workaround is disable the "subscription" for all of endpoints in api, and add a query parameter(or header parameter) for the endpoint(except the only one endpoint) as "subscription key". Then check the subscription key in "inbound" policy of most endpoints.
For this feature, you can also create a ticket on azure feedback page to suggest azure develop team add it.
We have configured APIM and point it to API endpoints which is deployed in WebApp.
We have configured products, subscription keys, APIS, Operations for the same.
For APIM endpoints, it is necessary for developer to pass subscription key, if not passed, APIM will return HTTP 401 with below error message
Access denied due to invalid subscription key. Make sure to provide a valid key for an active subscription.
Is there any way, we can change this with custom message as required by business team?
Use choose policy inside on-error section to identify the scenario (you can inspect context.LastError.Reason), and return-response policy to provide custom response.
There is currently no way to do this. Please vote for this request on Azure's feedback forum:
Customize error schema messages
Edit: #Vitaliy Kurokhtin answer is a work-around, although you need to keep in mind where you define the error policy (All APIs level, API level, Operation level) will impact whether or not the On Error policy you defined will get invoked
This is a follow up to the following question:
How to prevent Ocp-Apim-Trace: true and ocp-apim-trace-location in production?
My API consumers must have a subscription key to be able to use my API.
However, I do not want them to see the detail traces provided in ocp-apim-trace-location. The detail trace provides them visibility to my internal service URLs and details that can be a potential security risk.
How to eliminate tracing (prevent Ocp-Apim-Trace) when the call includes a subscription key?
There is no way to disable tracing funtionality, not sending this header will disable tracing collection for one request only. But do know, that only admin users are capable of collecting traces, if this header is supplied along with subscription key that does not belong to admin account (or no subscription key at all) no traces will be collected. The idea here is that traces may expose information service owner may not be willing to share with developers.
Actually, you could design APIs belong to an open product to be callable anonymously.
Create a new product and uncheck Require subscription in its settings. Any API added to such product will be callable without a key anonymously.
So that you could let your consumer anoymously call your API without subscription key and then eliminate tracing.
For more details, you could refer to this article.
i tried to set up a simple map: http://pan-american.ch and keep getting the same error in the JS Console:
https://developers.google.com/maps/documentation/javascript/error-messages#referer-not-allowed-map-error
Your site URL to be authorized:
on this Domain http://map2.codedesign.ch the key works fine.
so my question is - where can i add Domains...
You want to setup the referrers to allow http://pan-american.ch.
See the Google Documentation on Setting up API keys:
Setting up API keys
If your client application does not use OAuth 2.0, then it must include an API key when it calls an API that's enabled within a Google Cloud Platform project. The application passes this key into all API requests as a key=API_key parameter.
To create your application's API key:
Go to the Cloud Platform Console.
From the projects list, select a project or create a new one.
If the API Manager page isn't already open, open the menu Gallery Menu and select API Manager.
On the left, choose Credentials.
Click Create credentials and then select API key.
Choose the type of key to use. (API key types are described in more detail in the following sections.) If you're unsure whether an API key is appropriate for the API you're calling, select Help me choose and follow the instructions to pick the right credentials.
Note: In addition to reading the instructions on this page, be sure to read Best practices for securely using API keys.
The API supports several types of API keys, including server keys, browser keys, iOS keys, and Android keys.
Browser keys
Create and use a Browser key if your application runs on a client, such as a web browser. To prevent your key from being used on unauthorized sites, only allow referrals from domains you administer.