API Management

Microsoft Azure API Management is a turnkey solution for publishing APIs to external and internal consumers. Quickly create consistent and modern API gateways for existing backend services hosted anywhere, secure and protect them from abuse and overuse, and gain insights into usage and health. Plus, automate and scale developer onboarding to help get your API program up and running in no time.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Allow multi-region deployment at Standard Tier

    Standard Tier currently does not allow for multi-region deployment. Premium transaction levels are so much higher and more costly, when there may only be need for a very small deployment in some geos, but need to be co-located with services already deployed to those geos. Allow for more flexibility in the deployment model, so a user can tune what they need in each different Geo (Premium in US, Standard in EU, Basic/Dev in AU).

    124 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  5 comments  ·  Pricing  ·  Flag idea as inappropriate…  ·  Admin →
  2. Purge cache from external system

    To control caching time of API-returned items aggressively and issue a command to purge cache when from external system that is aware when items are refreshed. Refresh cycle is not periodic, and can vary.

    122 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    planned  ·  5 comments  ·  API management experience  ·  Flag idea as inappropriate…  ·  Admin →
  3. Log custom traces to Application Insights

    Provide a policy to log custom traces to Azure Application Insights, similar to the log-to-eventhub policy.

    117 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    planned  ·  4 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  4. Export variables reporting throttling information from rate-limit policy

    There are ongoing RFC to give clients the capability to throttle calls rate to avoid hitting the capping imposed by rate-limit policies.

    A possible way to implement this is to return in the response header 4 variables containing:


    • The current limit set by the policy

    • Amount of remaining calls before hitting the limit

    • Number of seconds to wait before getting the limit reset to the maximum

    • Number of seconds to wait before retrying (only when calls are blocked)

    111 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    3 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  5. Support gRPC in Azure API Manager

    Please add support for gRPC to Azure API Manager.
    I would like to expose gRPC services to clients.
    It would also be great if we can have REST services for clients that call backend gRPC services.

    107 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  6. Mark api/operations as obsolete/deprecated

    Our api is updating frequently. Some operations and even whole api could be deprecated.
    We can't mark api/operations as deprecated. Now, only modify description could help us but it's not enough. Because nobody really read the description from start to end. And we can't highlight information in it.
    Please- give as a button "Mark api/operation as deprecated" + textbox for description why it happened and what other method should be used now(maybe with checking that new operations is available).
    Also highlight information about api/operation is deprecated in a description or somewhere else for a current consumers.
    And in the final-…

    100 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    4 comments  ·  Defining APIs  ·  Flag idea as inappropriate…  ·  Admin →
  7. Controlling Signup button functionality

    Currently there is no support to disable Signup functionality. If we disable Identities, it disables the Login also.

    There must be a way to achieve this. Refer below link for more details:

    https://social.msdn.microsoft.com/Forums/azure/en-US/3b8c8c60-0e26-4d7f-9a6f-2f2bc6b84bf2/how-to-disable-signup-button-functionality-on-developer-portal?forum=azureapimgmt

    93 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  1 comment  ·  Developer portal  ·  Flag idea as inappropriate…  ·  Admin →
  8. Support Swagger Documentation - Object representation with nested $ref issue

    Hi,

    There is an issue regarding Swagger file for complex objects which are using nested $ref, according to the program team, it's not supported yet by API Management although it works well in Swagger UI.

    This is for me a big issue as we can't manage documentation manually in case our object definition evolve. Furthermore, even if we put manually a json object example in APIM Publisher portal, we can't define the object model associated to it.

    Could you please make Swagger documentation work with nested $ref in APIM?

    Thanks.

    93 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    6 comments  ·  Flag idea as inappropriate…  ·  Admin →
  9. Code re-use in API policies using of custom functions or expressions

    I find myself regularly copying and pasting generic code functions across policies. It would be great if there was a policy where you add custom code functions or expressions to call in other policies. Maybe in the base policy or a new "custom expressions" policy.

    For example, I have generic code for policies fronting SOAP services that determines date timezones before converting dates to UTC. This code is duplicated across various APIs.

    Another example is a piece of code I add to each policy for error handling and recording to the event hub via logger.

    92 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  3 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  10. Better pricing structure for API Management

    We currently use 4 instances of APIM for duplicating our environments (Dev/UAT/Pre Prod and Production)

    We went with APIM as a solution for fronting some azure services and some internal services. Due to the VPN access only being available on Premium we are paying for over 32 Millions calls a day when we will barely generate a 1 Million. So we have 4 Premium APIM instances costing us £6000 a month purely for the VPN access. Forcing us to pay for a level we do not require just for a feature of the environment, it would be better if the…

    91 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    15 comments  ·  Pricing  ·  Flag idea as inappropriate…  ·  Admin →
  11. OAuth 2.0 implementation support/Securing APIs using OAuth

    A major bonus when using an API management system should be that it helps you secure your backend APIs using standard techniques. Other API management systems (such as Kong, see https://getkong.org/plugins/oauth2-authentication/) have support for this, where the APIm acts as a Bearer token store and validates the tokens for you.

    Obviously, this will only work for the Client Credentials and possibly also Resource Owner Password Flows, as the others require additional UI, but still this would be a very nice add-on, which enables you to leverage OAuth for backends which are actually OAuth-agnostic.

    Azure APIm would then also need…

    91 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  5 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  12. Invalidate Cache based on other Operations

    It would be great if a cached operations could be invalidated based on another operation by default.

    Eg

    GET: /products is cached with a long duration and is only invalidated by
    POST: /products

    Another way could be to invalidated based on HTTP verb. Eg invalidate all caches in api when a POST/PUT Api is called

    87 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  2 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  13. Add support for ionic scheme in CORS policy

    Today CORS policy in APIM only allows http, https or file scheme in allowed-origins.
    https://docs.microsoft.com/en-us/azure/api-management/api-management-cross-domain-policies#CORS

    Ionic webview plugin serves application from ionic:// or custom scheme. None of http, https or file is valid in ionic webview.
    https://github.com/ionic-team/cordova-plugin-ionic-webview

    Please add support for inoic scheme. Thank you.

    84 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Flag idea as inappropriate…  ·  Admin →
  14. Ability to Group Subscription Keys

    Currently the subscription keys are issued at the 'Product' level. These products basically map to resource features. It is great that subscription is managed at this granularity but it would be better if the subscriptions can also be managed at higher levels. I may want to use the same subscription key to Axcess multiple products (or bundles) or even go to a higher level of managing APIs at multiple bundles level (or container) with a single key. This way the developers can use the same subscription key across products, bundles or container levels as configured by the publisher of the…

    83 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  0 comments  ·  Developer portal  ·  Flag idea as inappropriate…  ·  Admin →
  15. Support/force TLS 1.3

    As the new TLS 1.3 will be released soon, it would be great to support and possibly force TLS 1.3 on all connection on the front and back-end.

    79 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  4 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  16. Single Swagger file for all APIs

    Support producing/exporting a single Swagger file for all APIs within API management.

    78 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  5 comments  ·  Developer portal  ·  Flag idea as inappropriate…  ·  Admin →
  17. Automated backup for APIM

    Provide automated and manual backup feature something similar to what we have in Azure Web Apps (
    https://docs.microsoft.com/en-us/azure/app-service/web-sites-backup#configure-automated-backups ).

    77 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  9 comments  ·  Lifecycle  ·  Flag idea as inappropriate…  ·  Admin →
  18. We would like to have OWASP security features as part of API Management rather than using API gateway/WAF.

    We would like to have OWASP security features as part of API Management rather than using API gateway/WAF.

    76 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    triaged  ·  2 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  19. Enable WS-Security for SOAP backends

    In a REST to SOAP scenario where the backend demands the SOAP message to be signed using a certificate, it would be great if there were policies that could generate the whole message based on the contents of the body. Right now one can build the SOAP XML message using a liquid template but then the task of generating the security headers is hard (and I really don't know how to generate them). For example:

    <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/&quot; xmlns:web="http://webservices.myweb.com">
    <soapenv:Header><wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd&quot; xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    ......<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary&quot; ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3&quot; wsu:Id="X509-123456">generated_token</wsse:BinarySecurityToken>

      &lt;ds:Signature Id=&quot;SIG-65D54B60823432DD6615040826919135&quot;
    71 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    4 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  20. Allow disabling/stopping of API Management during evaluation to preserve subscription credits

    I am evaluating API Management using Visual Studio Subscription credits. The credits are depleted even when I am not testing API Management and are likely to be exhausted before I have completed evaluation. This is both frustrating and prevents me from completing my evaluation. Other API Management providers such as apigee provide a superior evaluation experience.

    This issue has already been raised before and the answer is not satisfactory
    https://social.msdn.microsoft.com/Forums/en-US/f4522315-fd3b-4129-b758-e74b22d74145/how-can-i-quotdisablequot-but-not-delete-an-api-management-service?forum=azureapimgmt

    69 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Pricing  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base