API Management Security with subscription keys only

hampton123 1,170 Reputation points
2024-01-18T21:30:13.1733333+00:00

I am just curious as to how secure APIs are with only APIM's built in subscription keys. I currently have a few APIs within API management. APIM's developer portal requires users to sign in and then they have access to their subscription keys through the developer portal, and the subscription key is encrypted as well inside of the developer portal. Would it be secure to only have the subscription key as security in API Management?

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
2,294 questions
0 comments No comments
{count} votes

Accepted answer
  1. MayankBargali-MSFT 70,826 Reputation points
    2024-01-22T08:05:25.1866667+00:00

    @hampton123 Thanks for reaching out.

    API Management's subscription keys provide a basic level of security for your APIs. By requiring a valid subscription key in HTTP requests, API Management can easily secure API access. However, it is important to note that subscription keys alone may not be sufficient for all security scenarios.

    API Management also supports other mechanisms for securing access to APIs, including OAuth2.0, client certificates, and restricting caller IPs. These mechanisms provide additional layers of security that can be used in conjunction with subscription keys to further secure your APIs.

    Regarding your question about the security of subscription keys in API Management, it is generally considered secure to use subscription keys as a means of authentication and authorization. As you mentioned, API Management's developer portal requires users to sign in and then they have access to their subscription keys through the developer portal, and the subscription key is encrypted as well inside of the developer portal. This helps to ensure that the subscription key is only accessible to authorized users and is not exposed to unauthorized parties.

    However, it is important to note that security is a continuous process and should be regularly reviewed and updated as needed. It is recommended to regularly review your security measures and consider additional security mechanisms as needed to ensure the ongoing security of your APIs.

    Please 'Accept Answer' if it helped so that it can help others in the community looking for help on similar topics.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.