We welcome user feedback and feature requests!

Add ability to use API Key authentication

It would be nice to be able to protect API apps with a set of API Keys instead of requiring a user to manually log in. This would be especially helpful for backend APIs that don't require user authorization or are accessed primarily by other servers.

227 votes
Sign in
Password icon
Signed in as (Sign out)
You have left! (?) (thinking…)
Jeff H. shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →


Sign in
Password icon
Signed in as (Sign out)
  • Cody Sigvartson commented  ·   ·  Flag as inappropriate

    Would be great if this were implemented as stated by Mats. Though it isn't the most secure form of authentication it works very well for a lot of smaller web services. Being such a common authentication practice it should be able to be implemented with azure.

  • Chris Gillum (MSFT) commented  ·   ·  Flag as inappropriate

    We still haven't decided whether this is something we want to add, given the security weaknesses of API keys. The main worry is folks abusing this feature by embedding API keys in their native client apps and having them discovered by malicious users.

    That said, if what you need is service-to-service authentication that doesn't require any manual login, you still have the option of using Azure AD and Service Principal authentication. More details here: https://azure.microsoft.com/en-us/documentation/articles/app-service-api-dotnet-service-principal-auth/

  • Jerome Brown commented  ·   ·  Flag as inappropriate

    This was marked "Under Review" over a year ago. Is there an update on the feature request? Several references in the documentation say only Coming Soon,

  • Mats Hallingström commented  ·   ·  Flag as inappropriate

    As a user, I should be able to access an App Service by supplying an access token in the request, as an alternative to AAD credentials.

    A lot of test tools for SOAP/REST/Web have weak or no support for AAD or oauth2 authentication.
    Defining and including a predefined access token in each request would ease test and verification of app and web services.

    The alternative is to turn all authentication off, which is not desirable.

    This would work in the same way as for Visual Studio Team Services, A user can define a personal access token that allows the same access as an interactive login.

    Access tokens can be managed in the app service authentication/authorization settings.

  • enough commented  ·   ·  Flag as inappropriate

    For me that would also be tremendously helpful - though I would additionally like to use user authentication in my case.

  • Mike commented  ·   ·  Flag as inappropriate

    This feature would be extremely helpful for what I plan on doing with a web app that will let anonymous users retrieve read only data from my API, and not allow anything but the web app to call the API. I'll use social logins for client side authentication/authorization for users allowed to write data.

Feedback and Knowledge Base