![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 50%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
2,175 questions
@Marco Thanks for reaching out. Please correct if my understanding is right. You already have the setup as below:
Client --> Proxy (you are adding the subscription key) --> APIM
Now you want that your client should not able to access all the APIs in different products as you may be using the subscription key which is subscribed to all the products. They should only access one or more products based on which they have subscribed to and you are thinking of using the subdomain for this approach.
As you should already have the mapping based on your client which products they should be subscribed to. The best approach would be verifying this in your proxy application to validate whether your client is authorized or not based on your subdomain name. This will help in overcoming the overhead as it is like passing the request to your backend service to validate it.
If in case you don't want this to be implemented at your proxy level then your proxy should add a custom header that will have the subdomain details along with the subscription key (as you have already implemented) before calling the APIM. Now at the APIM end, you need to write an inbound policy to get the value of your custom header and validate it against the mapping (based on your client which products they should be subscribed) if the request should be authorized or not.