Azure API Management: disabling the Ocp-Apim-Subscription-Key for your API

When virtualizing your APIs behind an Azure API Management (APIM) service, you always need to provide the subscription key in your calls. Typically, this is done via the header key Ocp-Apim-Subscription-Key. Your subscription key is always linked to an APIM product which you define in your publisher portal.

Sometimes, you might want to disable working with a subscription key altogether. Although this might not be the best idea, it is easier to use in development scenarios and might sometimes be preferred when working with certain legacy applications which cannot easily be changed.

Disclaimer: It is always a good idea to force the use of a subscription key within your API. This significantly increases security via subscription key rotation. You can easily add/update or delete access to your API via these subscription keys.
Nevertheless, this blog post will show you how to continue in case you are not in a position to work with subscription keys.

Creating a subscription-less product

In order to be able to call APIs without a subscription key, you first need to create a new product within your APIM service:
Go to your publisher portal and create a new product, but uncheck the ‘Require subscription’ checkbox.

product_nosub

Creating a dedicated subscription-less API

Once we have created the product, we create a new API. For the purpose of this blog post, I’ll create a new API and assign the new product to it:

api_nosub

You need to assign the newly created product to this new API.

Important: it does not make much sense to assign additional products to this API since it is already available without subscription key.
It might, however, be beneficial to assign multiple products anyway, in the sense that it allows your API callers to use the same generic way of accessing your API’s, regardless of using a subscription key.

Testing the API

Once you created your API, add one or more operations. For this blog post, I will add one operation and mock it so I can test this easily.

First, I’ll add the operation:

mockoperation1

Next, I’ll add a representation (aka example), to be used in the mock operation:

mockoperation2

Then I’ll add the policy to include the mock policy, in order to always return the representation added earlier.

mock-policy

Once I got everything setup, this is the result in Postman:

apim-nosub-result

Success! I get the result of the mock operation, as expected.

Noteworthy:
Now that this API only has the subscription-less product assigned: when providing a subscription key nevertheless, we do get an error with status code “401”: “Access denied due to invalid subscription key.”

apim-nosub-result-withsub

When leaving the subscription key empty, the call succeeds again:

apim-nosub-result-withemptysub

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s