API Management

Microsoft Azure API Management is a turnkey solution for publishing APIs to external and internal consumers. Quickly create consistent and modern API gateways for existing backend services hosted anywhere, secure and protect them from abuse and overuse, and gain insights into usage and health. Plus, automate and scale developer onboarding to help get your API program up and running in no time.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Mark api/operations as obsolete/deprecated

    Our api is updating frequently. Some operations and even whole api could be deprecated.
    We can't mark api/operations as deprecated. Now, only modify description could help us but it's not enough. Because nobody really read the description from start to end. And we can't highlight information in it.
    Please- give as a button "Mark api/operation as deprecated" + textbox for description why it happened and what other method should be used now(maybe with checking that new operations is available).
    Also highlight information about api/operation is deprecated in a description or somewhere else for a current consumers.
    And in the final-…

    144 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    4 comments  ·  Defining APIs  ·  Flag idea as inappropriate…  ·  Admin →
  2. Allow multi-region deployment at Standard Tier

    Standard Tier currently does not allow for multi-region deployment. Premium transaction levels are so much higher and more costly, when there may only be need for a very small deployment in some geos, but need to be co-located with services already deployed to those geos. Allow for more flexibility in the deployment model, so a user can tune what they need in each different Geo (Premium in US, Standard in EU, Basic/Dev in AU).

    139 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  5 comments  ·  Pricing  ·  Flag idea as inappropriate…  ·  Admin →
  3. Add support for ionic scheme in CORS policy

    Today CORS policy in APIM only allows http, https or file scheme in allowed-origins.
    https://docs.microsoft.com/en-us/azure/api-management/api-management-cross-domain-policies#CORS

    Ionic webview plugin serves application from ionic:// or custom scheme. None of http, https or file is valid in ionic webview.
    https://github.com/ionic-team/cordova-plugin-ionic-webview

    Please add support for inoic scheme. Thank you.

    138 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    8 comments  ·  Flag idea as inappropriate…  ·  Admin →
  4. Log custom traces to Application Insights

    Provide a policy to log custom traces to Azure Application Insights, similar to the log-to-eventhub policy.

    136 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    planned  ·  4 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  5. Purge cache from external system

    To control caching time of API-returned items aggressively and issue a command to purge cache when from external system that is aware when items are refreshed. Refresh cycle is not periodic, and can vary.

    129 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    planned  ·  5 comments  ·  API management experience  ·  Flag idea as inappropriate…  ·  Admin →
  6. Better pricing structure for API Management

    We currently use 4 instances of APIM for duplicating our environments (Dev/UAT/Pre Prod and Production)

    We went with APIM as a solution for fronting some azure services and some internal services. Due to the VPN access only being available on Premium we are paying for over 32 Millions calls a day when we will barely generate a 1 Million. So we have 4 Premium APIM instances costing us £6000 a month purely for the VPN access. Forcing us to pay for a level we do not require just for a feature of the environment, it would be better if the…

    129 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    19 comments  ·  Pricing  ·  Flag idea as inappropriate…  ·  Admin →
  7. Export variables reporting throttling information from rate-limit policy

    There are ongoing RFC to give clients the capability to throttle calls rate to avoid hitting the capping imposed by rate-limit policies.

    A possible way to implement this is to return in the response header 4 variables containing:


    • The current limit set by the policy

    • Amount of remaining calls before hitting the limit

    • Number of seconds to wait before getting the limit reset to the maximum

    • Number of seconds to wait before retrying (only when calls are blocked)

    119 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    3 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  8. We would like to have OWASP security features as part of API Management rather than using API gateway/WAF.

    We would like to have OWASP security features as part of API Management rather than using API gateway/WAF.

    117 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    triaged  ·  5 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  9. OAuth 2.0 implementation support/Securing APIs using OAuth

    A major bonus when using an API management system should be that it helps you secure your backend APIs using standard techniques. Other API management systems (such as Kong, see https://getkong.org/plugins/oauth2-authentication/) have support for this, where the APIm acts as a Bearer token store and validates the tokens for you.

    Obviously, this will only work for the Client Credentials and possibly also Resource Owner Password Flows, as the others require additional UI, but still this would be a very nice add-on, which enables you to leverage OAuth for backends which are actually OAuth-agnostic.

    Azure APIm would then also need…

    107 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  5 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  10. Support Swagger Documentation - Object representation with nested $ref issue

    Hi,

    There is an issue regarding Swagger file for complex objects which are using nested $ref, according to the program team, it's not supported yet by API Management although it works well in Swagger UI.

    This is for me a big issue as we can't manage documentation manually in case our object definition evolve. Furthermore, even if we put manually a json object example in APIM Publisher portal, we can't define the object model associated to it.

    Could you please make Swagger documentation work with nested $ref in APIM?

    Thanks.

    107 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    6 comments  ·  Flag idea as inappropriate…  ·  Admin →
  11. Controlling Signup button functionality

    Currently there is no support to disable Signup functionality. If we disable Identities, it disables the Login also.

    There must be a way to achieve this. Refer below link for more details:

    https://social.msdn.microsoft.com/Forums/azure/en-US/3b8c8c60-0e26-4d7f-9a6f-2f2bc6b84bf2/how-to-disable-signup-button-functionality-on-developer-portal?forum=azureapimgmt

    100 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  1 comment  ·  Developer portal  ·  Flag idea as inappropriate…  ·  Admin →
  12. Programmatically Import Azure Function into APIM

    I've created an Azure DevOps release pipeline to update APIM API by importing a swagger file via PowerShell. The swagger file was exported from APIM Dev instance, and the release pipeline imports it into QA APIM instance. However, backend is wrong, and there are missing keys that prevent QA APIM API from calling QA Az Function API.

    It all works if I manually import the QA Az Func API into QA APIM API via APIM UI... and keys are automagically generated for Az Func & APIM.

    So I need a way to setup DevOps release pipeline to deploy a QA…

    97 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    6 comments  ·  Integration  ·  Flag idea as inappropriate…  ·  Admin →
  13. Invalidate Cache based on other Operations

    It would be great if a cached operations could be invalidated based on another operation by default.

    Eg

    GET: /products is cached with a long duration and is only invalidated by
    POST: /products

    Another way could be to invalidated based on HTTP verb. Eg invalidate all caches in api when a POST/PUT Api is called

    94 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  3 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  14. Support/force TLS 1.3

    As the new TLS 1.3 will be released soon, it would be great to support and possibly force TLS 1.3 on all connection on the front and back-end.

    89 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  5 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  15. Ability to Group Subscription Keys

    Currently the subscription keys are issued at the 'Product' level. These products basically map to resource features. It is great that subscription is managed at this granularity but it would be better if the subscriptions can also be managed at higher levels. I may want to use the same subscription key to Axcess multiple products (or bundles) or even go to a higher level of managing APIs at multiple bundles level (or container) with a single key. This way the developers can use the same subscription key across products, bundles or container levels as configured by the publisher of the…

    88 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  0 comments  ·  Developer portal  ·  Flag idea as inappropriate…  ·  Admin →
  16. Enable WS-Security for SOAP backends

    In a REST to SOAP scenario where the backend demands the SOAP message to be signed using a certificate, it would be great if there were policies that could generate the whole message based on the contents of the body. Right now one can build the SOAP XML message using a liquid template but then the task of generating the security headers is hard (and I really don't know how to generate them). For example:

    <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/&quot; xmlns:web="http://webservices.myweb.com">
    <soapenv:Header><wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd&quot; xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    ......<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary&quot; ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3&quot; wsu:Id="X509-123456">generated_token</wsse:BinarySecurityToken>

      &lt;ds:Signature Id=&quot;SIG-65D54B60823432DD6615040826919135&quot;
    87 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    6 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →

    Hi Carlos – thanks for your feedback. We need more feedback from users on this feature due to the many complexities of how WS-security is implemented. Would what Carlos describes be helpful for you? Is this preferable to a mutual TLS connection secure the communication?

  17. Log x-forwarded-for header in API Management Gateway log

    If API Management is fronted by a WAF or Proxy the IP logged in the API Management Gateway log is not the original IP.

    WAF's like the Application Gateway Web Application Firewall do add an x-forwarded-for header however the current API Management Gateway log does not include it.

    83 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    planned  ·  1 comment  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  18. Add Self-hosted API Management gateway to Basic and Standard pricing tiers

    Please consider adding the self hosted API Management gateways to the basic and standard tiers. At a minimum at least three instances for HA purposes.

    The argument for this is that you will drive up the adoption of Azure APIM and generate considerable Azure consumption through the take up.

    Alternatively please consider a per gateway pricing option to cover any additional overheads.

    82 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Gateway  ·  Flag idea as inappropriate…  ·  Admin →
  19. Deploy APIM in Azure Emulator to allow for local testing of configurations

    Add APIM to the Azure emulator to allow testing of routing and policies.

    81 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  0 comments  ·  API management experience  ·  Flag idea as inappropriate…  ·  Admin →
  20. Single Swagger file for all APIs

    Support producing/exporting a single Swagger file for all APIs within API management.

    81 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  5 comments  ·  Developer portal  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base