API Management

Microsoft Azure API Management is a turnkey solution for publishing APIs to external and internal consumers. Quickly create consistent and modern API gateways for existing backend services hosted anywhere, secure and protect them from abuse and overuse, and gain insights into usage and health. Plus, automate and scale developer onboarding to help get your API program up and running in no time.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Enhance Json Serialization support in Policy Expressions for Legacy Backend APIs

    Provide access to JsonConverter types, e.g. JavaScriptDateTimeConverter so that a JObject can be formatted as needed for a legacy system.

    Currently, if a Json object needs to be translated to a different format for a DateTime property it is not easily possible to convert the APIM body JObject to what the backend service expected for Json serialization.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  2. Azure Functions API import fails after setting IP restrictions on the Function

    The feature to import from Azure Functions to APIM does not work when Azure Functions has a firewall. Adding the APIM outgoing ip address to the list of allowed addresses still does not allow the import to work. Azure Functions and APIM should be able to seamlessly integrate together. Currently, we are not able to use IP restrictions.


    1. Create Azure Function

    2. Add IP Restriction and deny all traffic except for incoming traffic from APIM endpoint

    3. Try to import Azure Function endpoints to APIM

    4. The UI throws an error when actually trying to import

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Defining APIs  ·  Flag idea as inappropriate…  ·  Admin →
  3. Display OpenAPI 3.0 callbacks in Developer Portal

    The operations page does not display details of "Callbacks" section included in Open API 3.0:
    https://swagger.io/docs/specification/callbacks/

    Please could any callbacks defined against an operation be displayed in the new developer portal, in a similar way to Swagger UI

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Developer portal  ·  Flag idea as inappropriate…  ·  Admin →
  4. When clicking "load more" in API operation list, it should load more (add to the list) and not replace the currently visible operations

    When clicking "load more" in API operation list in the Azure management portal, it should load more (add to the list) and not replace the currently visible operations. Lets say you have 25 operations for the selected API, and the first 20 are displayed by default and there is a "load more" button at the bottom of the operation list. and you click it. Currently, it removes the first 20 and only shows the last 5. If you want to see the first 20 again, you have to then click and select a different API and then go back to…

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Defining APIs  ·  Flag idea as inappropriate…  ·  Admin →
  5. Optin/Optout on features & validations

    Often times I see that new validations are being rolled out by APIm team (recent one was from last week's May 11th release) where they rolled out a validation check to force uniqueness on API path (excluding parameters) which broke our builds when our release build is enroute to prod deploy. This also gives the power back to the consumers on when to opt in or opt out of any features you are releasing with future deployments .

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    unplanned  ·  0 comments  ·  API management experience  ·  Flag idea as inappropriate…  ·  Admin →
  6. Try it page not handling optional route parameters

    I have this operation in my API

    "/get/{*path}": {

            "get": {
    
    "summary": "Get",
    "description": "Gets a single file or a collection of files and folders in a ZIP archive.",
    "operationId": "get",
    "parameters": [
    {
    "name": "path",
    "in": "path",
    "required": true,
    "schema": {
    "type": ""
    }
    },
    {
    "name": "recurse",
    "in": "query",
    "description": "Retrieve files recursively or from the {path} directory only.",
    "schema": {
    "enum": [
    "true",
    "false"
    ],
    "type": "boolean"
    }
    },
    {
    "name": "pattern",
    "in": "query",
    "description": "An expression supporting asterisks as wildcards for filtering results.",
    "schema": {
    "type": "string"
    }
    }
    ],
    "requestBody": {
    "content": {}
    },
    "responses":
    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Developer portal  ·  Flag idea as inappropriate…  ·  Admin →
  7. Ability for Product Group Admins to have access to see the Publisher "Analytics" for their APIs/Products

    We require the ability for specific admin users (Product Group Owners) from different groups to get access to see only their APIs/Products analytics via the Azure Portal/Publisher Portal Analytics section.

    Currently the APIM Admin has visibility to all the APIs/Products Analytics (Publisher Portal) and is required to provide reports back to the specific Product owner.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Defining APIs  ·  Flag idea as inappropriate…  ·  Admin →
  8. Custom Headers Missing In Azure Portal Operation Test

    Recently, about a month ago, I was working on some policies for some of my API Operations and noticed when I went to test them in the Azure portal that my custom headers and defaults were missing. It seems there has been a change made that requires you to manually add the headers and select the default value in order to test the API >Operation. I have over 45 APIs with 100s of operations. I have headers defined with default values so that I can quickly open the API Operation and test the operation without having to set it up.…

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  API management experience  ·  Flag idea as inappropriate…  ·  Admin →
  9. client cert with public key

    We have a scenario that we would like to use Azure APIM to replace another vendors API GW in use today. However, there is a serious flaw in APIM that prevents us to do so. Many of our web services (this is healthcare so a bit more old school) are secured by client cert auth. If the public cert isn't in our API GW store and authorized for the web service then the authentication/authorization is rejected.

    Azure APIM currently (as far as I can tell) only allows certs with private keys to be loaded for validation using the cert store…

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  10. Url Helper Policy Expressions for Route Building

    As a developer I want to include hypermedia links to other operations in the same and other API sets so that I have easy navigation for clients between APIs.

    Today, these link url paths must be hard coded based on what is know. To provide flexibility while developing APIs and to ensure routes are actually valid, provide a url helper method to generate these routes.

    Example:

    context.RouteFor("API-ID", "Version", "Operation-ID", new {param1=1,param2="hello"})

    Today:

    <set-body>{
    return JObject.FromObject(new {

    _links = new[] {
    
    new { href = $&quot;/api/operation?query={context.Request.MatchedParameters.GetValueOrDefault(&quot;query&quot;, string.Empty)&amp;api-version=2018-10-31&quot;, rel = &quot;other-api&quot;, type = &quot;GET&quot; }
    }

    }
    }</set-body>

    With a helper:

    <set-body>{ …

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  11. Support for token bucket - enable burst quota

    The current quota/call rate limit is +1 per call. In practice this means we create SKUs based on the maximum expected spike rather than average usage. By supporting a token bucket model (https://en.wikipedia.org/wiki/Token_bucket) we could define a SKU more aligned with our actual usage.

    For example: on average we have 50 calls per second, but need to be able to spike to 250 calls per second.

    Today we'd create a 250 calls per second throttle policy for this key/product which is not optimal.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  12. Can you add System.Security.Cryptography.X509Certificates into whitelist. So it can be used to verify certificates.

    System.Security.Cryptography.X509Certificates is required to verify if a certificate is revoked or not and also validate the certificate chain.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  13. Allow control over publisher notifications

    There currently is no control over publisher notifications. Developer notification functionality could be replicated for publisher notifications. A small example is in Organization Name, this can be changed for developer notifications but not for publisher notifications.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  14. add ability to mark a header or parameter value as private

    We have additional credentials that are configured to be passed as additional headers. It would be nice to be able to mark these as "private" in the configuration so in the "try it" page the values that are typed in are handled like the subscription key and they appear as dots when typed. Right now when we're doing a screen share demonstration, people watching the demonstration have full view of the username and password being entered. Sure, we can go through special means to have dummy accounts or dummy systems, or change the credentials as soon as the demo is…

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    need-feedback  ·  0 comments  ·  Defining APIs  ·  Flag idea as inappropriate…  ·  Admin →
  15. Policy tag directory

    Have a comprehensive directory that has all of the tags that can be used in the policy XML.

    An example is have documentation of the <when> tag regarding which tags can be nested within and which attributes it accepts.

    I seem to be unable to find any resource that has detailed documentation on these multi-use tags.

    Thank you

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  16. Base an API revision off a git branch

    This may be possible I'm not sure but it would be useful if you could add a revision to an API or the entire API management and have it based of a branch in the git repository. This would allow a side by side API based on your staged changes and allow you to test in a blue/green scenario. Once the API is tested if you could make it public.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  0 comments  ·  Integration  ·  Flag idea as inappropriate…  ·  Admin →
  17. Fix the terminology

    Our team just spent a whole day looking for ways to update Named Values programatically. In the end we found the way to do it with management APIs. The reason it was so hard to find, because it's not called Named Values in the management API, it is called properties. Now this is confusing, because the GUI for APIM also has a section named properties that has nothing to do with named values.
    It would help a lot if your GUI and management API would use the same terminology.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  API management experience  ·  Flag idea as inappropriate…  ·  Admin →
  18. Fix: Autogenerated "name" in new operation doesn't strip invalid characters

    add this as displayname:

    /path/routePath/{parameter}

    This gets auto-generated as name

    path-routepath-{parameter}

    But that auto-generated name is invalid because of the brackets. The auto-generation process already changes slashes to dashes, so why not also make it strip out invalid characters?

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    planned  ·  0 comments  ·  API management experience  ·  Flag idea as inappropriate…  ·  Admin →
  19. Use valid xml to configure policies.

    In your examples one can find lines like this one:

    &lt;set-variable name=&quot;isMobile&quot; value=&quot;@(context.Request.Headers[&quot;User-Agent&quot;].Contains(&quot;iPad&quot;) || context.Request.Headers[&quot;User-Agent&quot;].Contains(&quot;iPhone&quot;))&quot; /&gt;

    If you try to validate this xml, you will find out that those double quotes inside of the value attribute are not allowed.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  20. Add support for evaluating jsonpath expressions against request bodies within a policy and conditionally invoking an external request

    I'd like the ability to use a jsonpath expression to query a json request body and send the results to an external endpoint for validation. This is intended to implement a form of request spoofing prevention

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  1 comment  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base