Azure API Management - New API appeared: "ApimInternalManagedCertificateTokenRetrieveApi"

Question

Hello,

recently a new API appeared in my Azure API Gateway (around 2 weeks ago): ApimInternalManagedCertificateTokenRetrieveApiAlthough the naming suggest some leads on where this might lead, i am not sure and cant seem to find out the source, why this appeared just now, what uses it etc.

I know that some changes were planned for 2026 regarding custom domains and Azure API Gateway but im not sure.

Answer 1

Hi @Dvorak, David,

Thanks for reaching out to Microsoft Q&A.

As per the update received from our Engineering team, ApimInternalManagedCertificateTokenRetrieveApi is a system-generated API that Azure API Management spins up behind the scenes to handle managed-certificate operations i.e., token retrieval, auto-renewals, etc.

It usually pops into your API list around the time your custom-domain or free/managed TLS certificate is being fetched or rotated.

• It’s part of APIM's internal certificate-management plumbing.
• It doesn't count toward your API quota or incur extra charges.
• You won't accidentally surface it in production calls, it's only used by APIM itself.
• You can safely ignore it; no action is required on your end.

This isn't tied to the 2026 custom-domain changes, it's been around to support the managed-cert feature, you'll see it called when APIM talks to Key Vault or the managed-cert service.

Hope this helps!

---

If the resolution was helpful, kindly take a moment to click on and click on Yes for was this answer helpful. And, if you have any further query do let us know.

Answer 2

ApimInternalManagedCertificateTokenRetrieveApi is an internal API surface used by Azure API Management to support the managed TLS (managed certificate) feature for custom domains. It is not a user-created API and is part of the platform changes around managed TLS certificates provided by DigiCert for Azure services.

Recent and upcoming changes to managed TLS in Azure (including Azure API Management) explain why new internal components like this appear:

• Azure API Management offers a free, managed TLS certificate option for custom domains on the gateway endpoint. These certificates are automatically renewed and managed by the service.
• There are announced platform-wide updates to the managed TLS solution in 2025–2026, including:
  • Migration of managed TLS certificates to new DigiCert roots (DigiCert Global Root G2/G3) and new issuing CAs.
  • Removal of the Client Authentication EKU from managed TLS certificates, leaving only Server Authentication.
• For API Management specifically:
  • Managed certificates are automatically renewed when set to autorenew, without downtime for tiers with an SLA.
  • A free, managed TLS certificate for custom domains is available (preview) and is automatically renewed.
  • Creation of new managed certificates for custom domains will be temporarily suspended between August 15, 2025 and March 15, 2026 while DigiCert migrates to a new validation platform.
  • Starting January 2026, API Management requires inbound access on port 80 to specific DigiCert IP addresses to renew managed certificates.

ApimInternalManagedCertificateTokenRetrieveApi is part of this managed-certificate plumbing and is used by the service to obtain or refresh tokens/credentials needed to issue or renew managed TLS certificates. Its appearance in the gateway is a byproduct of these managed TLS capabilities and related platform changes, not something configured manually.

It is safe to leave this API as-is; it is required for the managed certificate feature to function correctly and is not intended to be called or modified by client applications.

---

References:

• Configure a custom domain name for your Azure API Management instance
• Changes to the managed TLS feature
• Azure Certificate Authority details
• Industry-wide certificate changes impacting Azure App Service