Update: Microsoft will be moving away from UserVoice sites on a product-by-product basis throughout the 2021 calendar year. We will leverage 1st party solutions for customer feedback. Learn more here.

API Management

Microsoft Azure API Management is a turnkey solution for publishing APIs to external and internal consumers. Quickly create consistent and modern API gateways for existing backend services hosted anywhere, secure and protect them from abuse and overuse, and gain insights into usage and health. Plus, automate and scale developer onboarding to help get your API program up and running in no time.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Support XSD Schema Validation

    It would be good to have a built-in policy that allows either the request body or explicitly specified content (such as a variable or property) to be validated against a specified XSD schema.

    24 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  2. Upgrade XSLT transformation policy to XSLT 3

    API Management currenly only supports xslt 1.0. Can it be updated to XSLT 3.0 so it will enable transforms with both xml AND json. This will be very powerful as currenly xml <-> json interactions require lots of xslt template code.

    24 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  3. Add comment to policies

    Before the possibility of form based editing for Allowed IP addresses in the API management policies, We could put comments in the code body.

    With every IP address we whitelist we also like to keep track from who that IP address is. Before we did that with comments. Currently commenting in the policies body is no longer possible. all comments placed here will be deleted once you save it.

    Commenting is only possible in the header.

    It would be useful to have an extra field next to the policy. This field can be used as a comment field.

    When entering…

    23 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  4. Support UrlEncoding for the C# implementation.

    I have had several element when integrating with backend service APIs where the Authentication token and other properties need to be UrlEncoded. (ie SAS tokens, or redirect URL on query strings).

    Normally in C# I would use the HttpUtility class (UrlEncod methods) but these are not available / supported classes in the custom policy section of the site.

    Would be nice to have the HttpUtility class and some more of the Encoding classes available.

    19 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  2 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  5. Support global redirect for default pages

    Hi Team,
    We have an in-house solution to manage subscriptions on top of products, and we have a customized UI("user-subscriptions" page) for that. We want users to use our own UI to subscribe to APIs so we can track the usage; we don't want them to have access to the default "products" page, because it will have un-tracked subscriptions.

    Can we add support to redirect the built-in pages(for instance "products") to our own pages (like "user-subscriptions")?

    19 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →

    Thanks for the feedback. We’ll keep it in mind for the future. In the meantime, you can consider using delegation (http://aka.ms/apimdelegation) which is a feature which is specifically designed to allow customers to completely override sign-in/out and product subscription logic and UI. Admittedly, the two are coupled and have to be taken over together which may be not ideal in your case.

  6. Define custom C# method and class in APIM Policy

    It is very usefull to write C# syntax in APIM Policy. But from the viewpoint of reusability for code snippet, I'd like to define custom C# method and class in APIM Policy.

    API Management policy expressions
    https://docs.microsoft.com/en-us/azure/api-management/api-management-policy-expressions#syntax

    Currently, we have to wrote the same C# code on each section(inbound, outbound, backend, on-error) in APIM Policy.
    If we can define custom C# method and class and call these on any policy section, we can simplify the APIM policy content and it become easy to develop it.

    18 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  7. Support code only policies

    Allow us to develop policies using code alone, maybe using a language like C#

    The objective would be to use only C# (or Asp.NET (Core)) to write policies with code from scratch anywhere and maybe opening it a bit more to allow more .Net framework types than just these:
    https://docs.microsoft.com/en-us/azure/api-management/api-management-policy-expressions#CLRTypes

    18 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  8. Allow ip-filter to leverage ServiceTags

    Currently the ip-filter policy requires explicitly set IP addresses or ranges. It would be useful to allow the ip-filter to accept Azure Service Tags as the value so large IP ranges don't have to be entered manually (and kept up-to-date on weekly basis).

    A specific use-case is restricting API Management to only accept traffic from Front Door. Of course, this can be done with VNET integration of a premium tier APIM and an NSG, but VNET integration is not always the best deployment model (and not everyone needs premium tier).

    This post shows can App Services makes use of Service…

    15 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  9. Add a "go to on-error" policy

    The policy should transition control flow to the "on-error" section and be customizable with error details.

    14 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  10. Support Newtonsoft.Json.JsonSerializerSettings in policies

    APIs that get re-written in policy to a json object output often end up with several properties that are null, to save bandwidth we'd like to exclude those null properties when calling the ToString method and passing the serializer settings (NullValueHandling) that remove null properties from the output.

    14 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  11. API versioning with header doesn't work for APIs with CORS policies.

    We have enabled versioning of APIs using a header 'api-verion'.
    We also have enabled CORS policies on the API.

    The problem that we have is when a CORS pre-flight request (OPTIONS) is sent to API by browser the required api-Version header is not present and thus a 404 is returned from API-M and we receive a CORS Failure in the browser.

    14 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    4 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  12. Define Policy with Product and API and Operation scope

    Currently it is only not possible to define policies for a specific product and API and operation so that the policy is in effect when the 3 (product/API/operation) are in play. This is a common use case.

    13 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  13. Adding AAD Application authentication policy

    Add a policy for Axure AD Application Authentication, to make it easy to protect the backend API Apps with requirement of Azure AD authentication.

    13 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  14. validate-jwt openid-config url attribute should support expressions

    I see this was declined a year ago but the alternative is not a good solution. ref: https://feedback.azure.com/forums/248703-api-management/suggestions/31936303-support-expressions-in-openid-config-url-of-valida

    Say I have 2 API developer accounts and for each one I have a document in Cosmos DB with extra data about each developer. In here I have an open ID configuration URL so that these developers can use their own authentication tokens to connect to my API. As a first step in all policies, after I have retrieved the developer data, I use the validate-jwt policy passing in the url. Ideal scenario. Doesn't work.

    Now looking at the alternative:
    I duplicate…

    13 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  15. client cert with public key

    We have a scenario that we would like to use Azure APIM to replace another vendors API GW in use today. However, there is a serious flaw in APIM that prevents us to do so. Many of our web services (this is healthcare so a bit more old school) are secured by client cert auth. If the public cert isn't in our API GW store and authorized for the web service then the authentication/authorization is rejected.

    Azure APIM currently (as far as I can tell) only allows certs with private keys to be loaded for validation using the cert store…

    12 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  16. Support DateTime.TryParse & TryParseExact in Policy Expressions

    I have an API endpoint that receives a validates a block of json in the request body, and then forwards that json on to our backend.

    One of the validation requirements is for datetime values to comport with the format defined in section 5.6 of RFC3339:
    https://tools.ietf.org/html/rfc3339#section-5.6

    This wouldn't be too difficult if we had access to DateTime.TryParseExact(). The code would look like this:
    string[] validDateTimeFormats = new string[] {/FORMAT STRINGS/ };
    DateTime temp = new DateTime();
    bool correctFormat = DateTime.TryParseExact(dateTimeString, validDateTimeFormats, CultureInfo.InvariantCulture, DateTimeStyles.RoundtripKind, out temp);

    But since I don't have access to those methods, I need to…

    12 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  17. Add support for custom user attributes

    It would be nice to add support for extending the user attributes beyond the basics in place now of name, email, etc. In cases where the user is associated to a downstream (back-end) entity that is identified differently from any of the existing fields, there isn't a way to do this without corrupting the "Notes" fields. It would be nice if Administrators can extend the user schema to contain custom attributes that can be fetched from within policies.

    11 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    3 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  18. API management policy

    In aoigee there is a policy which let u create a custom javascript policy , so i wish to add this kind of custom policies in azure

    10 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  19. Support producing elements with namespace by json-to-xml policy.

    Now, json-to-xml policy doesn't support producing elements with namespaces. The formats that can be converted are very limited now.
    It's better if this policy support producing elements with namespace.

    9 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  20. Improve cache-store policy by optionally listening to the response HTTP headers

    The <cache-store> policy could be improved by adding one or more parameters so that you can decide to use it as-is (caching all responses with a fixed duration), or so that it becomes a bit more dynamic:

    no-store="true" for example could prevent caching responses when the Cache-Control or Pragma HTTP header is present on the response with a no-cache or no-store value.

    useResponseDuration="true" could enable using the Cache-Control duration for the API Management cache duration.

    9 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base