How to secure APIM subscription key when calling APIs from Web Client Application

Abhishek Sinha 61 Reputation points


What are some secure ways to pass the Azure API Management (APIM) subscription key while calling APIs, without exposing it in the browser network tab? Passing the key inside the header is not ideal as it can be exposed in the network tab. Would configuring the APIM subscription key inside the Azure Key Vault help to secure it from hardcoding and also hide the secret values when calling APIs from a web client application?

Best regards,


Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,158 questions
Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
1,853 questions
Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
4,476 questions
0 comments No comments
{count} votes

Accepted answer
  1. Marilee Turscak-MSFT 35,541 Reputation points Microsoft Employee

    Hi @Abhishek Sinha ,

    You cannot hide or encrypt the APIM key as APIM will not be able to authenticate the request if you have encrypted the Ocp-Apim-Subscription-Key header or if you are not passing this header. The service needs the subscription key without encryption since it is the first step to authenticate the request.

    One option would be to have a middle services/proxy that makes a front end call and a middle/service proxy that makes the call to APIM using the plain text subscription key. Another option would be to enable JWT bearer token enabling to secure the API.

    The Azure security baseline for API Management document contains guidelines around to secure your cloud solutions on Azure and security controls defined by the Azure Security Benchmark, as well as guideliness applicable to API Management.

    If the information helped you, please Accept the answer. This will help us as well as others in the community who may be researching similar questions.

    0 comments No comments

0 additional answers

Sort by: Most helpful