Share via

How does API Management handles requests with subscription keys and API versions?

Thomas Van den Bossche 1 Reputation point
2024-09-27T11:52:28.8+00:00

We currently have a setup where our API Management instance has APIs with two API versions (v0 and v1).

On the v1 we've enabled the requirement of a subscription key and assigned those APIs to a product.
There's a subscription linked to that product.

  • If we sent the request to the v1 endpoints with the subscription key, everything works
  • If we sent the request to the v0 endpoints without the subscription key, everything works
  • If we sent the request to the v0 endpoints with the subscription key, we get an "Access Denied"

I wouldn't expect this last case to happen because the v0 API doesn't require a subscription? Why does it get an "Access Denied"? Removing the "Requires subscription" on the product also doesn't help. Only adding the v0 APIs to the product seems to help and then we can still sent a request to the v0 endpoints without subscription key.

It's not entirely clear from the documentation what the expectation would be with API versions.

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
2,111 questions
0 comments
Accepted answer
  1. Vadiraj C Joshi 0 Reputation points Microsoft Employee
    2024-10-01T21:25:08.6966667+00:00

    Hi @Thomas Van den Bossche Greetings! Welcome to Microsoft Q&A forum. Thank you for posting this question here.

    I see the third scenario is a bit confusing. Based on the information you've given, I'll make the following assumptions. Let me know if anything needs to be adjusted.

    • v0 endpoint has subscription required is unchecked at API scope.
    • It is not part of any product.
    • You are providing a subscription key associated with a product in scenario 3 (that V1 is part of, but it doesn't really matter in this case)

    Given these assumptions, when you make a request to the v0 endpoint with a subscription key, APIM verifies if the provided key is -

    • A subscription scoped to the API - Not applicable.
    • A subscription scoped to all APIs - Not applicable.
    • The service-scoped subscription (built-in all access subscription) - Not applicable.
    • A subscription scoped to a product that's assigned to the API - This condition fails; given that subscription key belongs to a product which this API isn't a part of - This is why you get an access denied error.

    Yet, when you send the same request without the subscription key, the following checks occur -

    • Check first for the existence of a product that includes the API but doesn't require a subscription (an open product) - Let's assume you don't have an open product.
    • If an open product including the API isn't found, check whether the API requires a subscription. If a subscription isn't required, handle the request in the context of that API and operation - This condition is met successfully, allowing the request to proceed..

    If the response helped, please do click Accept Answer and Yes for the answer provided. Doing so would help other community members with similar issue identify the solution. I highly appreciate your contribution to the community.

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.