![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 30%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHS%3C/text%3E%3C/svg%3E)
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 32%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
I think of APIM subscription keys as equivalent to client ID in other APIs or perhaps user name or API keys. As such your question is really, how can I tell user A used my API over user B when both are using the same client ID/user name/api key/subscription ID. I think the flaw here is that you're using the same subscription ID for "different" users. If you want to identify users differently then they should have their own subscription IDs. I'd argue for security reasons that each user should have their own subscription key anyway.
The only workaround that I can think of is to require an HTTP header as part of the request and that is where you store the extra data. Since APIM isn't based on OAuth2, in my experience, the more traditional approach of having extra fields in the authentication request wouldn't work. But if users are sharing subscription keys then nothing prevents user A from authenticating using user B's subscription key/info so it is not exactly secure.