API Management

Microsoft Azure API Management is a turnkey solution for publishing APIs to external and internal consumers. Quickly create consistent and modern API gateways for existing backend services hosted anywhere, secure and protect them from abuse and overuse, and gain insights into usage and health. Plus, automate and scale developer onboarding to help get your API program up and running in no time.

How can we improve Azure API Management?

You've used all your votes and won't be able to post a new idea, but you can still search and comment on existing ideas.

There are two ways to get more votes:

  • When an admin closes an idea you've voted on, you'll get your votes back from that idea.
  • You can remove your votes from an open idea you support.
  • To see ideas you have already voted on, select the "My feedback" filter and select "My open ideas".
(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Circuit Breaker policy

    It would be nice to have a policy that implements the Circuit Breaker pattern (https://msdn.microsoft.com/en-us/library/dn589784.aspx)

    124 votes
    Vote
    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
      Password icon
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      under review  ·  2 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
    • Log custom traces to Application Insights

      Provide a policy to log custom traces to Azure Application Insights, similar to the log-to-eventhub policy.

      81 votes
      Vote
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
        Password icon
        Signed in as (Sign out)
        You have left! (?) (thinking…)
        planned  ·  4 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
      • Invalidate Cache based on other Operations

        It would be great if a cached operations could be invalidated based on another operation by default.

        Eg

        GET: /products is cached with a long duration and is only invalidated by
        POST: /products

        Another way could be to invalidated based on HTTP verb. Eg invalidate all caches in api when a POST/PUT Api is called

        77 votes
        Vote
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
          Password icon
          Signed in as (Sign out)
          You have left! (?) (thinking…)
          under review  ·  1 comment  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
        • Add reusability mechanism for policies

          Give us some mechanism to create our own <policy-expression> type steps. For example, we need some snippet to be applied to multiple scopes, today we have to copy/paste all of that. It would be great to have some way to encapsulate custom policy expression logic and reuse it across multiple scopes.

          58 votes
          Vote
          Sign in
          Check!
          (thinking…)
          Reset
          or sign in with
            Password icon
            Signed in as (Sign out)
            You have left! (?) (thinking…)
            under review  ·  2 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
          • 55 votes
            Vote
            Sign in
            Check!
            (thinking…)
            Reset
            or sign in with
              Password icon
              Signed in as (Sign out)
              You have left! (?) (thinking…)
              4 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
            • Code re-use in API policies using of custom functions or expressions

              I find myself regularly copying and pasting generic code functions across policies. It would be great if there was a policy where you add custom code functions or expressions to call in other policies. Maybe in the base policy or a new "custom expressions" policy.

              For example, I have generic code for policies fronting SOAP services that determines date timezones before converting dates to UTC. This code is duplicated across various APIs.

              Another example is a piece of code I add to each policy for error handling and recording to the event hub via logger.

              42 votes
              Vote
              Sign in
              Check!
              (thinking…)
              Reset
              or sign in with
                Password icon
                Signed in as (Sign out)
                You have left! (?) (thinking…)
                under review  ·  2 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
              • Extend support for .net x509 in policies

                When working with certificates, it would be really useful to extend the .net api surface so to include X509Chain and related classes (so to control the validation policy) and also the System.Security.Cryptography.X509Certificates.X509NameType object so to extract easily a CN from a certificate (for example).

                39 votes
                Vote
                Sign in
                Check!
                (thinking…)
                Reset
                or sign in with
                  Password icon
                  Signed in as (Sign out)
                  You have left! (?) (thinking…)
                  under review  ·  1 comment  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
                • Define policies in JSON

                  I am not a big fan of XML so having an option to define policies using JSON would make it much easier to apply a policy and understand what exactly is going on.

                  36 votes
                  Vote
                  Sign in
                  Check!
                  (thinking…)
                  Reset
                  or sign in with
                    Password icon
                    Signed in as (Sign out)
                    You have left! (?) (thinking…)
                    1 comment  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
                  • Visual Studio Integration for Policy Editing and Testing

                    The policy editor in the publisher portal is terrible. A VS plugin that would allow intelisense, code completion, syntax checking and policy debugging would be extremely helpful

                    35 votes
                    Vote
                    Sign in
                    Check!
                    (thinking…)
                    Reset
                    or sign in with
                      Password icon
                      Signed in as (Sign out)
                      You have left! (?) (thinking…)
                      2 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
                    • Enable WS-Security for SOAP backends

                      In a REST to SOAP scenario where the backend demands the SOAP message to be signed using a certificate, it would be great if there were policies that could generate the whole message based on the contents of the body. Right now one can build the SOAP XML message using a liquid template but then the task of generating the security headers is hard (and I really don't know how to generate them). For example:

                      <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/&quot; xmlns:web="http://webservices.myweb.com">
                      <soapenv:Header><wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd&quot; xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
                      ......<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary&quot; ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3&quot; wsu:Id="X509-123456">generated_token</wsse:BinarySecurityToken>
                      <ds:Signature Id="SIG-65D54B60823432DD6615040826919135"…

                      35 votes
                      Vote
                      Sign in
                      Check!
                      (thinking…)
                      Reset
                      or sign in with
                        Password icon
                        Signed in as (Sign out)
                        You have left! (?) (thinking…)
                        1 comment  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →

                        Hi Carlos – thanks for your feedback. We need more feedback from users on this feature due to the many complexities of how WS-security is implemented. Would what Carlos describes be helpful for you? Is this preferable to a mutual TLS connection secure the communication?

                      • Policy based on tags

                        Allow applying tags to operations / apis / products and then applying policies to tags.

                        The publisher would then be able to create a group of operations and apply a policy to all of them instead of having to group them in different products or apply the same policy to multiple operations. Tag policies should apply either before or after the product / api / operation level.

                        Example use case would be an API that has several operations that some can be cached and some that cannot. The tag could be applied to the operations that could be cached and…

                        30 votes
                        Vote
                        Sign in
                        Check!
                        (thinking…)
                        Reset
                        or sign in with
                          Password icon
                          Signed in as (Sign out)
                          You have left! (?) (thinking…)
                          0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
                        • Support building multipart/form-data in Policy Expressions for legacy apis

                          Ability to build multipart/form-data requests from an originating non-multipart request. Ideally, the json-to-xml converter would also be able to be used. Use case is legacy API for querying that accepts xml files submitted via multipart POST. Would like to expose as standard json service (no multipart)-or at least standard non-multipart xml service. Presumably adding multipart support would involve some additions to the available Policies.

                          23 votes
                          Vote
                          Sign in
                          Check!
                          (thinking…)
                          Reset
                          or sign in with
                            Password icon
                            Signed in as (Sign out)
                            You have left! (?) (thinking…)
                            under review  ·  2 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
                          • Support global redirect for default pages

                            Hi Team,
                            We have an in-house solution to manage subscriptions on top of products, and we have a customized UI("user-subscriptions" page) for that. We want users to use our own UI to subscribe to APIs so we can track the usage; we don't want them to have access to the default "products" page, because it will have un-tracked subscriptions.

                            Can we add support to redirect the built-in pages(for instance "products") to our own pages (like "user-subscriptions")?

                            19 votes
                            Vote
                            Sign in
                            Check!
                            (thinking…)
                            Reset
                            or sign in with
                              Password icon
                              Signed in as (Sign out)
                              You have left! (?) (thinking…)
                              0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →

                              Thanks for the feedback. We’ll keep it in mind for the future. In the meantime, you can consider using delegation (http://aka.ms/apimdelegation) which is a feature which is specifically designed to allow customers to completely override sign-in/out and product subscription logic and UI. Admittedly, the two are coupled and have to be taken over together which may be not ideal in your case.

                            • Return status code 405 instead of 404 when wrong method is used

                              Defining an API involves creating the resources and the allowed methods for each resource. When invoking the operation (accessing the resource) with a wrong HTTP method (for example, PUT instead of GET), the API Management service returns a 404 Resource Not Found instead of a 405 Method Not Allowed. Passing an OWASP test implies to return the correct code (https://www.owasp.org/index.php/REST_Security_Cheat_Sheet#HTTP_Return_Code).

                              Is it possible to return this code with API Management right now? Will it be included in future releases

                              18 votes
                              Vote
                              Sign in
                              Check!
                              (thinking…)
                              Reset
                              or sign in with
                                Password icon
                                Signed in as (Sign out)
                                You have left! (?) (thinking…)
                                0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
                              • Support expressions in calls attribute of rate-limit[-by-key] and quota[-by-key] policy of APIM

                                If the quota value can be an expression and dynamic, then it will much easier to implement dynamic quota in a single product. I want to set a per-subscription quota without create separate products for each of the subscription. Sometimes, we have requirement to increase quota for just a single subscription which force us to create a new product just for that particular user. Another case is that we want to provide capability to allow users to customize the quota value for ip/client-id throttling.

                                17 votes
                                Vote
                                Sign in
                                Check!
                                (thinking…)
                                Reset
                                or sign in with
                                  Password icon
                                  Signed in as (Sign out)
                                  You have left! (?) (thinking…)
                                  need-feedback  ·  4 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
                                • Allow the creation of custom API templates with predefined policies

                                  Allow custom templates to be created, and made available for selection via the API creation page (see attached), with predefined policies. This will improve the user experience where the requirement is to have several API's based on the same boiler plate policies. Product policies could be used but require all API's to be assigned to the same product which does not give flexibility in restricting access to the API's

                                  15 votes
                                  Vote
                                  Sign in
                                  Check!
                                  (thinking…)
                                  Reset
                                  or sign in with
                                    Password icon
                                    Signed in as (Sign out)
                                    You have left! (?) (thinking…)
                                    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
                                  • validate-jwt openid-config url attribute should support expressions

                                    I see this was declined a year ago but the alternative is not a good solution. ref: https://feedback.azure.com/forums/248703-api-management/suggestions/31936303-support-expressions-in-openid-config-url-of-valida

                                    Say I have 2 API developer accounts and for each one I have a document in Cosmos DB with extra data about each developer. In here I have an open ID configuration URL so that these developers can use their own authentication tokens to connect to my API. As a first step in all policies, after I have retrieved the developer data, I use the validate-jwt policy passing in the url. Ideal scenario. Doesn't work.

                                    Now looking at the alternative:
                                    I duplicate…

                                    13 votes
                                    Vote
                                    Sign in
                                    Check!
                                    (thinking…)
                                    Reset
                                    or sign in with
                                      Password icon
                                      Signed in as (Sign out)
                                      You have left! (?) (thinking…)
                                      0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
                                    • Add comment to policies

                                      Before the possibility of form based editing for Allowed IP addresses in the API management policies, We could put comments in the code body.

                                      With every IP address we whitelist we also like to keep track from who that IP address is. Before we did that with comments. Currently commenting in the policies body is no longer possible. all comments placed here will be deleted once you save it.

                                      Commenting is only possible in the header.

                                      It would be useful to have an extra field next to the policy. This field can be used as a comment field.

                                      When entering…

                                      11 votes
                                      Vote
                                      Sign in
                                      Check!
                                      (thinking…)
                                      Reset
                                      or sign in with
                                        Password icon
                                        Signed in as (Sign out)
                                        You have left! (?) (thinking…)
                                        1 comment  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
                                      • Adding AAD Application authentication policy

                                        Add a policy for Axure AD Application Authentication, to make it easy to protect the backend API Apps with requirement of Azure AD authentication.

                                        10 votes
                                        Vote
                                        Sign in
                                        Check!
                                        (thinking…)
                                        Reset
                                        or sign in with
                                          Password icon
                                          Signed in as (Sign out)
                                          You have left! (?) (thinking…)
                                          0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
                                        • New policy to sign JWT

                                          We currently have a scenario where we secure the calls to Api Management instances via JWT signed specifically for APIM. Based on some criteria, we are then signing new JWT's, to talk to back end environments. We do not want to secure the actual Api's via certificates, but simply via JWT's signed by Api Manager.

                                          Currently I am using a secured call to an azure function that signs a Jwt and returns the token back but ideally we would like to have this feature built in.

                                          10 votes
                                          Vote
                                          Sign in
                                          Check!
                                          (thinking…)
                                          Reset
                                          or sign in with
                                            Password icon
                                            Signed in as (Sign out)
                                            You have left! (?) (thinking…)
                                            under review  ·  2 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
                                          ← Previous 1 3
                                          • Don't see your idea?

                                          API Management

                                          Feedback and Knowledge Base