Share via

APIM Developer Portal Custom Widget: interacting with secure APIs

AlejandroBenitez-0092 30 Reputation points
2025-05-28T12:53:24.5266667+00:00

I would like to create a custom widget (in typescript - not an HTML custom widget). Just want to be sure how to interpret the following warning in the Microsoft documentation:

"Your custom widget code is stored in public Azure blob storage that's associated with your API Management instance. When you add a custom widget to the developer portal, code is read from this storage via an endpoint that doesn't require authentication, even if the developer portal or a page with the custom widget is only accessible to authenticated users. Don't include sensitive information or secrets in the custom widget code."

Obviously not planning to hard code secrets in the custom widget code. However, is it possible to create a custom widget include a configuration setting which would allow setting a client and secret? Not sure if the warning refers only to the "widget code" or if it also includes the "widget configuration values". Are both stored in an insecure blob?

What would be the alternative if I need to access a secured API? (either a custom one virtualize via APIM or a secured App Insights)? Would I have to use the connected user's authentication token? (using B2B/guests accounts).

Azure API Management
Azure API Management

An Azure service that provides a hybrid, multi-cloud management platform for APIs.

0 comments

Answer accepted by question author

Ranashekar Guda 2,905 Reputation points Moderator
2025-05-28T18:44:07.71+00:00

Hello @AlejandroBenitez-0092,
The warning in the Microsoft documentation is cautioning against including sensitive information or secrets directly in the custom widget code because the code is stored in public Azure blob storage that can be accessed without authentication. This means that anyone with the endpoint can potentially view the code, including any hard-coded secrets.

To address this, you can create a custom widget that includes a configuration setting for the client and secret, rather than hard-coding them directly into the code. By allowing these values to be set dynamically through configuration settings, you can avoid exposing sensitive information in the code itself.

The warning primarily refers to the widget code stored in the public Azure blob storage. However, it's essential to ensure that any configuration values or settings that are stored alongside the code are also handled securely. While the configuration values may not be as easily accessible as the code itself, it's still best practice to avoid storing sensitive information in an insecure manner.

If you need to access a secured API, such as a custom API virtualized via Azure API Management or a secured App Insights instance, you can consider using the connected user's authentication token for authentication. This approach would involve leveraging the authentication mechanisms provided by Azure AD, such as B2B/guest accounts, to authenticate and authorize access to the secured APIs based on the user's permissions.

By utilizing authentication tokens and proper authorization mechanisms, you can ensure that access to secured APIs is controlled and restricted to authorized users, enhancing the security of your custom widget and interactions with secure APIs.

Kindly refer below link:
Extend the developer portal with custom widgets

If you find the answer helpful, kindly click "Accept Answer" and upvote it. If you have any further questions or concerns, please feel free to reach out to us. We are happy to assist you.

Was this answer helpful?

1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.