There are subscription keys and client certificates as access protection methods for Azure API Managemet. How should I use them properly?

test 1 Reputation point
2020-12-07T16:14:06.39+00:00

There are subscription keys and client certificates as access protection methods for Azure API Managemet. How should I use them properly?

https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-mutual-certificates-for-clients

https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-create-subscriptions

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
1,148 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Pramod Valavala 14,636 Reputation points Microsoft Employee
    2020-12-08T17:38:15.397+00:00

    You could use either or both based on your exact requirements.

    Subscription Keys are best to leverage the bundled Developer Portal to allow external/internal developers to test out APIs from the portal and subscribe to APIs as required. Also, when using subscription keys, there are policies rate-limit and quota, and reports scoped to subscriptions.

    Client Certificates can be an added protection, requiring clients to both know the subscription key and have the client certificate installed on the client machine.

    Another option to consider is OAuth-based Security.