Securing API Access with Subscription Keys
    • Dark
      Light
    • PDF

    Securing API Access with Subscription Keys

    • Dark
      Light
    • PDF

    Article Summary

    Another aspect of APIs in API Management is security. You can add subscription keys to your API (definitions) to control access. Consumers of the API will need to add a valid subscription key in the request header to access the API operations.

    To get a subscription key you as API (definition) author or person responsible for managing APIs in an API Management instance can go to subscriptions under APIs. Here you can manage subscriptions by adding or editing existing subscriptions.

    image.png

    When adding a new subscription, you will need to provide a name for the subscription, set the scope (all APIs, individual API, or product), allow tracing or not and specify the users (those who can manage the subscription).

    The management aspect of subscriptions is as shown in the screenshot above. You can activate, submit, suspend, reject, and cancel a subscription. Furthermore, you can choose to regenerate the primary and secondary subscription key.

    APIM.png

    Note: There are more options available to secure APIs with OAuth2.0, IP Whitelisting, and client certificates. As first-line defence subscriptions are an excellent way to start; however, you should also add OAuth2.0 to your APIs to have the API consumer identify itself and use the subscription key as an authorization mechanism.


    Was this article helpful?