Subscription Keys in Azure API Management

Overview

Subscription keys are the primary mechanism for controlling and monitoring access to your APIs in Azure API Management. Think of a subscription key as a membership card - it identifies who is accessing your APIs and allows you to track usage, apply rate limits, and revoke access when needed. Every API consumer must subscribe to a product or API to receive a valid key.

What You'll Learn

  • How subscription keys work to secure your APIs
  • Creating and managing subscriptions
  • Using keys in API requests (header vs query parameter)
  • Best practices for key rotation and security

Why Subscription Keys Matter

Subscription keys provide several important capabilities:

  • Access Control - Only subscribers with valid keys can access your APIs
  • Usage Tracking - Monitor which applications are calling which APIs
  • Rate Limiting - Apply different limits to different subscription tiers
  • Revocation - Quickly disable access for compromised keys without affecting other users

How It Works

  1. Subscriber subscribes to a product
  2. APIM generates two keys (primary and secondary)
  3. Caller includes key in request
  4. APIM validates key before forwarding

Create Subscription

Via Portal

  1. Go to APIM → Subscriptions
  2. Click + Add subscription
  3. Configure:
    • Name: "Developer Subscription"
    • Scope: Product (or API)
    • Product: Select product
  4. Click Save

Keys Generated

  • Primary key: abcdef123456...
  • Secondary key: 123456abcdef...

Using the Key

Header (Recommended)

Ocp-Apim-Subscription-Key: <your-key>

Query Parameter

https://my-apim.azure-api.net/products?subscription-key=<your-key>

Enable/Disable Subscriptions

Per Product

  1. Go to APIM → Products
  2. Select product
  3. Toggle Require subscription

Per API

  1. Select API → Settings
  2. Toggle Subscription required

Product Subscriptions

Why Use Products?

  • Group APIs together
  • Apply common policies
  • Simplify subscription

Common Setup

Product: "Gold Tier"
├─ API A
├─ API B
└─ API C

Users subscribe to "Gold Tier"
→ Access all APIs in product

Best Practices

  1. Rotate keys - Regenerate keys periodically
  2. Use different keys - Per environment or user
  3. Revoke compromised keys - Use secondary if primary leaked
  4. Scope appropriately - Product vs API level

Next Steps

Azure Integration Hub - Beginner Level