API Management

Microsoft Azure API Management is a turnkey solution for publishing APIs to external and internal consumers. Quickly create consistent and modern API gateways for existing backend services hosted anywhere, secure and protect them from abuse and overuse, and gain insights into usage and health. Plus, automate and scale developer onboarding to help get your API program up and running in no time.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Custom Headers Missing In Azure Portal Operation Test

    Recently, about a month ago, I was working on some policies for some of my API Operations and noticed when I went to test them in the Azure portal that my custom headers and defaults were missing. It seems there has been a change made that requires you to manually add the headers and select the default value in order to test the API >Operation. I have over 45 APIs with 100s of operations. I have headers defined with default values so that I can quickly open the API Operation and test the operation without having to set it up.…

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  API management experience  ·  Flag idea as inappropriate…  ·  Admin →
  2. Url Helper Policy Expressions for Route Building

    As a developer I want to include hypermedia links to other operations in the same and other API sets so that I have easy navigation for clients between APIs.

    Today, these link url paths must be hard coded based on what is know. To provide flexibility while developing APIs and to ensure routes are actually valid, provide a url helper method to generate these routes.

    Example:

    context.RouteFor("API-ID", "Version", "Operation-ID", new {param1=1,param2="hello"})

    Today:

    <set-body>{
    return JObject.FromObject(new {
    _links = new[] {
    new { href = $"/api/operation?query={context.Request.MatchedParameters.GetValueOrDefault("query", string.Empty)&api-version=2018-10-31", rel = "other-api", type = "GET" }
    }
    }
    }</set-body>

    With a helper:

    <set-body>{ …

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  3. Support for token bucket - enable burst quota

    The current quota/call rate limit is +1 per call. In practice this means we create SKUs based on the maximum expected spike rather than average usage. By supporting a token bucket model (https://en.wikipedia.org/wiki/Token_bucket) we could define a SKU more aligned with our actual usage.

    For example: on average we have 50 calls per second, but need to be able to spike to 250 calls per second.

    Today we'd create a 250 calls per second throttle policy for this key/product which is not optimal.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  4. Can you add System.Security.Cryptography.X509Certificates into whitelist. So it can be used to verify certificates.

    System.Security.Cryptography.X509Certificates is required to verify if a certificate is revoked or not and also validate the certificate chain.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  5. Allow control over publisher notifications

    There currently is no control over publisher notifications. Developer notification functionality could be replicated for publisher notifications. A small example is in Organization Name, this can be changed for developer notifications but not for publisher notifications.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  6. add ability to mark a header or parameter value as private

    We have additional credentials that are configured to be passed as additional headers. It would be nice to be able to mark these as "private" in the configuration so in the "try it" page the values that are typed in are handled like the subscription key and they appear as dots when typed. Right now when we're doing a screen share demonstration, people watching the demonstration have full view of the username and password being entered. Sure, we can go through special means to have dummy accounts or dummy systems, or change the credentials as soon as the demo is…

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    need-feedback  ·  0 comments  ·  Defining APIs  ·  Flag idea as inappropriate…  ·  Admin →
  7. Policy tag directory

    Have a comprehensive directory that has all of the tags that can be used in the policy XML.

    An example is have documentation of the <when> tag regarding which tags can be nested within and which attributes it accepts.

    I seem to be unable to find any resource that has detailed documentation on these multi-use tags.

    Thank you

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  8. Base an API revision off a git branch

    This may be possible I'm not sure but it would be useful if you could add a revision to an API or the entire API management and have it based of a branch in the git repository. This would allow a side by side API based on your staged changes and allow you to test in a blue/green scenario. Once the API is tested if you could make it public.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  0 comments  ·  Integration  ·  Flag idea as inappropriate…  ·  Admin →
  9. Fix the terminology

    Our team just spent a whole day looking for ways to update Named Values programatically. In the end we found the way to do it with management APIs. The reason it was so hard to find, because it's not called Named Values in the management API, it is called `properties`. Now this is confusing, because the GUI for APIM also has a section named `properties` that has nothing to do with named values.
    It would help a lot if your GUI and management API would use the same terminology.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  API management experience  ·  Flag idea as inappropriate…  ·  Admin →
  10. Fix: Autogenerated "name" in new operation doesn't strip invalid characters

    add this as displayname:

    /path/routePath/{parameter}

    This gets auto-generated as name

    path-routepath-{parameter}

    But that auto-generated name is invalid because of the brackets. The auto-generation process already changes slashes to dashes, so why not also make it strip out invalid characters?

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    planned  ·  0 comments  ·  API management experience  ·  Flag idea as inappropriate…  ·  Admin →
  11. Use valid xml to configure policies.

    In your examples one can find lines like this one:

    `<set-variable name="isMobile" value="@(context.Request.Headers["User-Agent"].Contains("iPad") || context.Request.Headers["User-Agent"].Contains("iPhone"))" />`

    If you try to validate this xml, you will find out that those double quotes inside of the value attribute are not allowed.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  12. Add support for evaluating jsonpath expressions against request bodies within a policy and conditionally invoking an external request

    I'd like the ability to use a jsonpath expression to query a json request body and send the results to an external endpoint for validation. This is intended to implement a form of request spoofing prevention

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  1 comment  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  13. Provide a callback or REST API to check if changes made through management operations have been picked by Proxy

    Posting on behalf of customer:

    Per current API Management design/implementation, management operations are async and Proxy could take few sec to a minute to pickup the changes made through management APIs.
    The delay is indeterministic as there're multiple factors which could impact the time for Proxy to pickup the changes like Number of proxies involved, load on the proxy when control plane operations were made.

    As there's no deterministic way currently to confirm when Proxy has picked up the changes, we're not able to confirm if API is ready to take handle workload relying on changes.

    So, we request to…

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Service management  ·  Flag idea as inappropriate…  ·  Admin →
  14. Provide a configurable timeout for password reset link in API Management

    Currently, when resetting a users password in the Azure API Management portal, the email link expires after ~30 mins.

    Ideally, the timeout value should be configurable as we have processes that require a longer period. Customer in other countries are often not immediately available to follow the link.

    Provide a configurable timeout for password reset link in API Management.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  0 comments  ·  API management experience  ·  Flag idea as inappropriate…  ·  Admin →
  15. Use valid xml to configure policies.

    In your examples one can find lines like this one:

    `<set-variable name="isMobile" value="@(context.Request.Headers["User-Agent"].Contains("iPad") || context.Request.Headers["User-Agent"].Contains("iPhone"))" />`

    If you try to validate this xml, you will find out that those double quotes inside of the value attribute are not allowed.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  16. Subscription key

    Hey, how about making it simple and clear on how to get a subscription key for using an API. I finally gave up on using Azure due to this.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  17. Allow import only changes for existing Azure Functions API

    Partners should be able to only import changes when importing APIs into a project that already has Azure Functions APIs.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  API management experience  ·  Flag idea as inappropriate…  ·  Admin →
  18. Ability to store secrets in named values so they cannot be retrieved by contributors

    Currently Secrets can be stored in APIM named values, however a contributor can click on the secret in the portal and retrieve its contents, while this makes sense in some cases, where we are storing secrets like service principal keys the behaviour exhibited in the rest of Azure (i.e. you can copy the secret once at creation but after that point is is never available again).

    This is a particular issue for us, as we have different teams contributing to individual API's in APIM, as it stands any user who is an APIM contributor for any API can uncover the…

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  19. List incremental of entities

    Hi, team
    For now, we pull our apim instances entities every day from API management service. But we can only get 1 day snap shot.
    Is it possible to get incremental values of these entities(user/operation/api/product/subscription ect.) from API management services? For example, we can get data filtered by update time?

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  0 comments  ·  Service management  ·  Flag idea as inappropriate…  ·  Admin →
  20. Expose a way to modify the APIM idle timeout or tcp keep alive settings

    I have several legacy, long-running, synchronous API operations (10+ mins) that never get a response when I route them through APIM. This is because APIM does not maintain that TCP connection long enough for the backend server to compile the response.

    A quick response is to make them asynchronous, which I would have done from the beginning had I designed and developed this product, but as I said this is a legacy application with many existing clients and to change the architecture of this now is not really feasible.

    I have worked with Todd Foust from Micorsoft support to determine…

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  1 comment  ·  API management experience  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base