API Management

Microsoft Azure API Management is a turnkey solution for publishing APIs to external and internal consumers. Quickly create consistent and modern API gateways for existing backend services hosted anywhere, secure and protect them from abuse and overuse, and gain insights into usage and health. Plus, automate and scale developer onboarding to help get your API program up and running in no time.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Add support for key vault stored SSL certificates in API Management service

    Add ability to use SSL certificates bought through Azure and stored in key vault with API Management instance.

    54 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    4 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  2. Developer Portal displays IIS Yellow Page

    https://****.portal.azure-api.net/

    A security team observes that the developer portal application reveals the server information in terms of IIS error page (Yellow Page).

    System should have ability to configure "Default IIS error page".

    Try accesing any developer portal URL by expanding "/C:/test" to actual URL.

    51 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  1 comment  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  3. Enable WS-Security for SOAP backends

    In a REST to SOAP scenario where the backend demands the SOAP message to be signed using a certificate, it would be great if there were policies that could generate the whole message based on the contents of the body. Right now one can build the SOAP XML message using a liquid template but then the task of generating the security headers is hard (and I really don't know how to generate them). For example:

    <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/&quot; xmlns:web="http://webservices.myweb.com">
    <soapenv:Header><wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd&quot; xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    ......<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary&quot; ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3&quot; wsu:Id="X509-123456">generated_token</wsse:BinarySecurityToken>
    <ds:Signature Id="SIG-65D54B60823432DD6615040826919135"…

    51 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    4 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  4. Support in "produces" section the Accept-Header from OpenAPI specification

    The produces/consumes is MIME type.
    1. The “consumes” specify the format that the API can accept. So “consumes” only affects operations with a request body, such as POST, PUT and PATCH.
    And is sent via “Content-Type” header
    2. The “produces” specify the format that the API can return.
    And I sent via “Accept” header

    Using the “Accept” header the user can select needed API response MIME type (e.g. "text/plain", "application/octet-stream", "*/*").

    When sending a request with SwaggerUI, We can selecte "application/octet-stream" Response Content Type.
    The request was sent by Swagger UI with the “Accept” header value filled "application/octet-stream".

    In the…

    51 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Developer portal  ·  Flag idea as inappropriate…  ·  Admin →
  5. Ability to manage Subscription Keys for a Group of users

    Allow the assignment of a subscription key that applies to a group of users. The idea is to create one shared subscription key that is tied to the group so as members of the group swap in/out they can use that key.

    Think of a large company of developers, rather than creating a shared login the group of developers could be put into the group and then have access to that applications subscription keys.

    The idea is really to treat the key as an entity that isn't a person but needs to be managed by several people, like give this…

    48 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  API management experience  ·  Flag idea as inappropriate…  ·  Admin →
  6. http2

    Enable http2 for the API Management

    48 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    planned  ·  0 comments  ·  Service management  ·  Flag idea as inappropriate…  ·  Admin →
  7. Manual order/grouping of operations

    It'd be great to be able to manually order and/or group operations within an API for easier usage.

    48 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    7 comments  ·  Developer portal  ·  Flag idea as inappropriate…  ·  Admin →
    under review  ·  Miao Jiang responded

    Thanks for the feedback. Can you please provide a little more details on how you want this to work? Do you want this feature on developer portal or admin portal or both? Thanks!

  8. Do not deploy echo-api when deploying via the SDK or ARM template.

    If I create a new Microsoft.ApiManagement/service resource and I do not have any Microsoft.ApiManagement/service/apis defined I would not expect a "example api" to be included.

    The SDK and ARM templates are for people to automate their deployments, adding a API to show someone how to use the APIM service on ALL new deployments does not make sense in a scripted environment.

    If when creating a new APIM from the web portal causes it to add a extra api to show the usage of APIM, that is fine, I world totally understand that behavior. But adding un-asked for apis during a…

    47 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  2 comments  ·  Defining APIs  ·  Flag idea as inappropriate…  ·  Admin →
  9. Update the Developer Portal design and styling, it is outdated

    Update the design with more neutral styling as common on many developer portals out there, or simply make it more inline with the new Azure Portal. The center page layout does not fit with anything anymore.

    47 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    planned  ·  3 comments  ·  Flag idea as inappropriate…  ·  Admin →
  10. Multiple URL Template for a operation

    Having multiple URL Templates for a operation will make it easy to configure the optional parameters.

    45 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Defining APIs  ·  Flag idea as inappropriate…  ·  Admin →
  11. Support for multi-tenant user login delegation

    In a multi-tenant scenario, there is no option to delegate user login to multiple urls, the delegation section allows only one url.

    It would be great if it would allow one delegation endpoint per custom developer portal domain.

    45 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Developer portal  ·  Flag idea as inappropriate…  ·  Admin →
  12. Deploy APIM in Azure Emulator to allow for local testing of configurations

    Add APIM to the Azure emulator to allow testing of routing and policies.

    44 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  0 comments  ·  API management experience  ·  Flag idea as inappropriate…  ·  Admin →
  13. AAD integration for all Teirs

    Just because we want a good API interface does not mean we are doing the next Facebook. APIM at Standard level would be, by far, the most expensive component of my entire end to end IoT data platform and includes far more bandwidth than I will likely require. But now you expect me to pay over 4 times as much just to integrate AD for a handful of users?

    I will either keep to Developer tier or if that is not sufficient the internal developers can use personal Microsoft accounts. On the bright side, it does eliminate a tie in…

    44 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  4 comments  ·  Pricing  ·  Flag idea as inappropriate…  ·  Admin →
  14. Visual Studio Integration for Policy Editing and Testing

    The policy editor in the publisher portal is terrible. A VS plugin that would allow intelisense, code completion, syntax checking and policy debugging would be extremely helpful

    41 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  15. Extend support for .net x509 in policies

    When working with certificates, it would be really useful to extend the .net api surface so to include X509Chain and related classes (so to control the validation policy) and also the System.Security.Cryptography.X509Certificates.X509NameType object so to extract easily a CN from a certificate (for example).

    41 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  1 comment  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  16. Support better grouping & sorting of products & APIs

    Right now - everything is forced into alphabetical sorting. There are no grouping options. We plan to use this for our entire enterprise, and we expect to end up with hundreds of APIs and dozens of products. A simple "sort order" field will accomplish the sorting issues, may be cumbersome to maintain but we could manage. Not sure how grouping would work, but here is our example:

    Products:
    Business Unit A - Developer
    Business Unit A - Test
    Business Unit A - Production
    Business Unit A - Production Unlimited

    I may like to have a "bucket" named just "Business Unit…

    39 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Developer portal  ·  Flag idea as inappropriate…  ·  Admin →
  17. different endpoint for an operation based on product

    Would be nice to have the option to define a different endpoint to different products. This will allow to define a 'test' and 'live' products that works with different environments. While at the same time the developers keys, examples, etc are all in one place.

    38 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    planned  ·  1 comment  ·  Defining APIs  ·  Flag idea as inappropriate…  ·  Admin →
  18. Support for HTTP/2 for APIM connecting to backend services

    HTTP/2 is supported for APIM client side facing communications, it will be great to support HTTP/2 also for backend side facing communications so that the entire request chain can be HTTP/2 enabled.

    38 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Gateway  ·  Flag idea as inappropriate…  ·  Admin →
  19. Ability to assign public static IP address to public endpoint

    When the API consumer is adding firewall rules, the changes to public IP address causes maintenance churn. There are some instances where the API management is used under test and qa controlled by devops and the endpoint address changes every time the resource is recreated. Requesting the ability for API management to be treated like any other resource in the devops process.

    38 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    4 comments  ·  Integration  ·  Flag idea as inappropriate…  ·  Admin →
  20. Use DDoS Protection Standard with VNET integrated API Management gateway

    We would like to use DDoS Protection Standard for our VNET integrated API Management Service. A possible solution could be to have self-signed public ip's for the public endpoint.

    P.S. We cannot put a Application Gateway v2 in front of API gateway because of the requirement of Client Certificate Authentication.

    38 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base