Subscriptions in Azure API Management
In Azure API Management, subscriptions are the most common way for API consumers to access APIs published through an API Management instance. This article provides an overview of the concept.
What are subscriptions?
By publishing APIs through API Management, you can easily secure API access using subscription keys. Consume the published APIs by including a valid subscription key in the HTTP requests when calling to those APIs. Without a valid subscription key, the calls will:
- Be rejected immediately by the API Management gateway.
- Not be forwarded to the back-end services.
To access APIs, you'll need a subscription and a subscription key. A subscription is a named container for a pair of subscription keys.
Regularly regenerating keys is a common security precaution, so most Azure products requiring a subscription key will generate keys in pairs. Each application using the service can switch from key A to key B and regenerate key A with minimal disruption, and vice versa.
- Developers can get subscriptions without approval from API publishers.
- API publishers can create subscriptions directly for API consumers.
API Management also supports other mechanisms for securing access to APIs, including the following examples:
Scope of subscriptions
Subscriptions can be associated with various scopes: product, all APIs, or an individual API.
Subscriptions for a product
Traditionally, subscriptions in API Management were associated with a single API product scope. Developers:
- Found the list of products on the developer portal.
- Submitted subscription requests for the products they wanted to use.
- Use the keys in those subscriptions (approved either automatically or by API publishers) to access all APIs in the product.
- You can access APIs with or without the subscription key regardless of subscription scope (product, global, or API).
Currently, the developer portal only shows the product scope subscriptions under the User Profile section.
Under certain scenarios, API publishers might want to publish an API product to the public without the requirement of subscriptions. They can deselect the Require subscription option on the Settings page of the product in the Azure portal. As a result, all APIs under the product can be accessed without an API key.
Subscriptions for all APIs or an individual API
With the addition of the Consumption tier of API Management, subscription key management is more streamlined.
Two more subscription scopes
Subscription scopes aren't limited to an API product. You can create keys that grant access to either:
- a single API, or
- All APIs within an API Management instance.
You don't need to create a product before adding APIs to it.
Each API Management instance comes with an immutable, all-APIs subscription (also called an all-access subscription). This built-in subscription makes it straightforward to test and debug APIs within the test console.
If you're using an API-scoped subscription or the all-access subscription, any policies configured at the product scope aren't applied to that subscription.
API Management now allows standalone subscriptions. You no longer need to associate subscriptions with a developer account. This feature proves useful in scenarios similar to several developers or teams sharing a subscription.
Creating a subscription without assigning an owner makes it a standalone subscription. To grant developers and the rest of your team access to the standalone subscription key, either:
- Manually share the subscription key.
- Use a custom system to make the subscription key available to your team.
Creating subscriptions in Azure portal
API publishers can create subscriptions directly in the Azure portal:
Get more information on API Management: