Calling Azure Functions via Azure API Managment (APIM) from Browser Resident MSAL.js clients & APIM Subscription Keys

Siegfried Heintze 1,741 Reputation points


This is a follow on question to I see that when I use the portal to create an APIM & API I get an all-access-subscription (as described here: ) and when I use az apim create --name $serviceName --resource-group $rg --publisher-name $pub --publisher-email $email

I don't get such a subscription and either way my javascript (authenticated with MSAL.js) AJAX call can call to my azure function works.

In addition to having customers call my Azure Functions via my APIM, I would like to give them the option to use an existing client that I provide such as a browser resident javascript client.

How to implement Vendor (where I am the vendor) Supplied Javascript Clients?

If I am supplying a browser resident javascript client for my customers to call my Azure Functions via my APIM and I'm using an Azure Static Web Site with my javascript source code stored in a Github repo, how do I store the api subscription key?

  1. I suppose I could store it (the subscription key) in a key vault but regardless of where I store it, it still has go into the javascript source code, correct?
  2. How do I get the subscripiton key into the github resident source code? Do I just hard code it and commit & push to github? I thought this approach to pushing secrets to github repos was highly discouraged! And what if the subscription key changes? How do I write a github action that inserts the new subscription key into the deployed javascript code?
  3. If this subscription key is embedded in the browser resident source code, is it possible to securely post the client on a public web site? I'm thinking no because anyone could extract the subscription key from the javascript!
  4. Since I'm already using <validate-jwt> in the APIM policies as per, how could I add an APIM policy that would expand the claims and determine if current REST call is coming from a paying customer? I could create and store a GUID in an AzureAD extension claim or use a standard claim (mabye the [] claim -- is this unqiue?) and have the APIM policy search a list of paid customers in a cosmos db for his/her unique claim and reject non-paying customers? Is there an example of how to do this somewhere? I think this would solve the problem and give me the benefit of the APIM's ability to shield my azure functions from DOS attacks (for example).

Thanks again for your help!


Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
1,541 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Thomas Meads 1,506 Reputation points


    I believe what you are looking for is products which allows a user (authenticated via OAuth or similar) to be given access to a specific set of APIs based on their user group. You can find out more about it here:

    Storing any kind of secret in an SPA is not possible because as you say someone could just access the key. Hence why the oauth authorization code flow exists.

    Hope this helps.