API Management

Microsoft Azure API Management is a turnkey solution for publishing APIs to external and internal consumers. Quickly create consistent and modern API gateways for existing backend services hosted anywhere, secure and protect them from abuse and overuse, and gain insights into usage and health. Plus, automate and scale developer onboarding to help get your API program up and running in no time.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Enable WS-Security for SOAP backends

    In a REST to SOAP scenario where the backend demands the SOAP message to be signed using a certificate, it would be great if there were policies that could generate the whole message based on the contents of the body. Right now one can build the SOAP XML message using a liquid template but then the task of generating the security headers is hard (and I really don't know how to generate them). For example:

    <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/&quot; xmlns:web="http://webservices.myweb.com">
    <soapenv:Header><wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd&quot; xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    ......<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary&quot; ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3&quot; wsu:Id="X509-123456">generated_token</wsse:BinarySecurityToken>
    <ds:Signature Id="SIG-65D54B60823432DD6615040826919135"…

    57 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    4 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  2. Support in "produces" section the Accept-Header from OpenAPI specification

    The produces/consumes is MIME type.
    1. The “consumes” specify the format that the API can accept. So “consumes” only affects operations with a request body, such as POST, PUT and PATCH.
    And is sent via “Content-Type” header
    2. The “produces” specify the format that the API can return.
    And I sent via “Accept” header

    Using the “Accept” header the user can select needed API response MIME type (e.g. "text/plain", "application/octet-stream", "*/*").

    When sending a request with SwaggerUI, We can selecte "application/octet-stream" Response Content Type.
    The request was sent by Swagger UI with the “Accept” header value filled "application/octet-stream".

    In the…

    51 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Developer portal  ·  Flag idea as inappropriate…  ·  Admin →
  3. Ability to assign public static IP address to public endpoint

    When the API consumer is adding firewall rules, the changes to public IP address causes maintenance churn. There are some instances where the API management is used under test and qa controlled by devops and the endpoint address changes every time the resource is recreated. Requesting the ability for API management to be treated like any other resource in the devops process.

    38 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    4 comments  ·  Integration  ·  Flag idea as inappropriate…  ·  Admin →
  4. Increase password strength for basic user accounts

    Basic user accounts can be created via;
    1. Admin portal (minimum password length=6)
    2. Self registration page (minimum password length=8).
    No other rule applies i.e. very poor password strength.

    When possible, we definitely use AAD.
    For cases where we can not use AAD the Azure PaaS Developer Support Team has recommended us to use Facebook, Google, Microsoft or Twitter accounts...

    Please, provide UI page where Admin can design password policy by choosing;
    - Minimum password length. [Default=8?].
    - English upper case letters (e.g., A, B, C, ...Z). [Checkbox True|False].
    - English lower case letters (e.g., a, b, c, ...z). [Checkbox…

    33 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    need-feedback  ·  0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  5. Support expressions in calls attribute of rate-limit[-by-key] and quota[-by-key] policy of APIM

    If the quota value can be an expression and dynamic, then it will much easier to implement dynamic quota in a single product. I want to set a per-subscription quota without create separate products for each of the subscription. Sometimes, we have requirement to increase quota for just a single subscription which force us to create a new product just for that particular user. Another case is that we want to provide capability to allow users to customize the quota value for ip/client-id throttling.

    23 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    need-feedback  ·  6 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  6. Allow the creation of custom API templates with predefined policies

    Allow custom templates to be created, and made available for selection via the API creation page (see attached), with predefined policies. This will improve the user experience where the requirement is to have several API's based on the same boiler plate policies. Product policies could be used but require all API's to be assigned to the same product which does not give flexibility in restricting access to the API's

    21 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    3 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  7. add the feature for enable/disable API temporarily

    We can't enable/disable API temporarily easily just from the portal or any other way. please help to add this new feature if possible.

    16 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  API management experience  ·  Flag idea as inappropriate…  ·  Admin →
  8. Hiding operations in developer portal

    This is a duplicate but the original suggestion was closed as Completed.

    I would like to hide operations in the developer portal but still expose them through the proxy.

    14 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    6 comments  ·  Defining APIs  ·  Flag idea as inappropriate…  ·  Admin →
  9. API Management Swagger Definition does not give model details.

    I have imported swagger definiton file into APIM Publisher portal. It shows different actions but there is no info about navigation property from an entity which is specified in the Entity Framework model. I would want to publish that information on developer portal as well. See the attached picture.

    13 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Developer portal  ·  Flag idea as inappropriate…  ·  Admin →
  10. Adding AAD Application authentication policy

    Add a policy for Axure AD Application Authentication, to make it easy to protect the backend API Apps with requirement of Azure AD authentication.

    13 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  11. Allow CORS headers for Management API

    In order to invoke Management REST API endpoint (like ***.management.azure-api.net/apis?api-version=vvv) from browser's JS code, CORS headers should be enabled there. Moreover, full Management REST API endpoint configuration (thru Azure portal) is very welcomed addition.

    10 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Service management  ·  Flag idea as inappropriate…  ·  Admin →
  12. Add a "go to on-error" policy

    The policy should transition control flow to the "on-error" section and be customizable with error details.

    9 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  13. Allow non-premium tier API managers to have multiple proxy custom domains

    We're trying to develop some API's and in order to host them through an API manager and have the endpoints resolve to the proxy domain we have to set up API managers for every single API, unless we use the premium tier. But the premium tier is SO much more expensive than the developer tier it just isn't cost effective to do that.

    9 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Pricing  ·  Flag idea as inappropriate…  ·  Admin →

    APIs in Api Management are identified by their name. Let’s say the names of the the two APIs are “api1” and “api2” respectively and the default host name of the API Management instance is “constoso.azure-api.net”. Both APIs would share the same host name and would be addressed as follows:

    api1: constoso.azure-api.net/api1
    api2: constoso.azure-api.net/api2

    Please explain why are you compelled to have individual host names for your APIs?

  14. Authentication with HMAC

    Currently, my project is using Hmac-SHA256 to do the authorization. We are struggle with how to generate, transmit and store the secret key between client side and ours. is there any secure way to do this?

    8 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  15. Allow SOAP services with complex WSDL to be manually built

    My organization has a large number of legacy SOAP services that have large complex WSDL based on external XSDs. Currently the APIM product is not able to manage the service operations given the complexity. Allow for the type structures to be manually created so that the management tools can function.

    7 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Defining APIs  ·  Flag idea as inappropriate…  ·  Admin →
  16. Ability to Change Developer's Name and Email

    Hi,
    It seems that once you have created a Developer (or they have signed up), it is not possible for an admin/publisher user to modify the user's email address, first name or last name.
    The user can change this themselves via Developer Portal, but no way for admin to do anything.

    6 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  17. Import API to new revision

    Currently you can import a OpenAPI specification to either a new API, replace the existing API or append it to the existing API.
    It'd be useful to be able to create new revision off the newly imported rather then the currently available options.

    6 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Defining APIs  ·  Flag idea as inappropriate…  ·  Admin →
  18. change machine hosts file

    we publish a set of API exposed through internal services on AKS. Instead of using internal IP Address it would be great to use a sort of hosts file or point API management to a custom dns server so I can publish APIs with hostname and not the IP address.

    6 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Gateway  ·  Flag idea as inappropriate…  ·  Admin →
  19. Provide API Management in the German Cloud

    German companies are starting to deploy their workloads in the Cloud but in the German one and many of our clients ask about the availability of the API Management in this region. Actually is a very important service for them.

    6 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  API management experience  ·  Flag idea as inappropriate…  ·  Admin →
  20. Extend the various schemas

    Having extensibility built into the user, application and other schemas would be useful for capturing the correct level of data from users

    6 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Developer portal  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3
  • Don't see your idea?

Feedback and Knowledge Base