Hi @curious7 ,
APIM's Developer Portal "Try it" feature can add an Authorization header by obtaining an access token from a configured OAuth 2.0/OpenID Connect authorization server.
After you configure an OAuth 2.0 authorization server and enable it for an API:
- A user can authorize access through the Try it console.
APIM acquires an access token from the configured identity provider.
The access token is automatically added to the request's Authorization header when the API call is executed.
It is important to note that Developer Portal authentication and API authentication are separate security contexts. Even if users sign in to the Developer Portal using Azure AD B2C, that sign-in token is not automatically forwarded to API requests made through the Try it console.
If you don't configure OAuth for "Try it", will it succeed?
Case A – API requires OAuth/JWT validation
If your API (or a global/APIM policy) enforces JWT validation using a validate-jwt policy, the request must include a valid bearer token. Without a valid Authorization header, the request will be rejected by APIM or the backend API (typically with a 401 Unauthorized response).
In this scenario, if OAuth is not configured for Try it, users would need to manually provide a valid access token; otherwise, the request will fail.
Case B – API does not require OAuth/JWT validation
If the API does not validate access tokens (or uses another authentication mechanism), the Try it console can still invoke the API successfully without OAuth configuration.
Security considerations
Not configuring OAuth for Try it does not introduce a security risk by itself. The primary impact is on usability:
Protected APIs cannot be tested directly unless users manually provide a valid token.
Requests without valid tokens will be rejected when JWT validation is enforced.
The main consequence is a less streamlined developer experience rather than reduced security.
Therefore, if your APIs require JWT validation and you want developers to use the Try it console seamlessly, configuring an OAuth 2.0/OpenID Connect authorization server in APIM is recommended.
Hope this helps!
If the resolution was helpful, kindly take a moment to click on
and click on Yes for was this answer helpful. And, if you have any further query do let us know.