How to bypass Subscription Key for single endpoint in the API in Azure API Managment

Question

I would like to avoid providing Subscription Key for a single endpoint in my API. So far I found that I can disable Subscription for whole Product or API, which is not what I want. Is this even possible?

The only way which comes to my mind is another API and Product with exposed inly this single endpoint (obviously without subscription).

Answer 1

Summarize from the comments, currently we can't implement your requirement of disable "subscription" for one endpoint of api in APIM.

The workaround is what you mentioned to create another api or product for the endpoint and disable the "subscription".

And another workaround is disable the "subscription" for all of endpoints in api, and add a query parameter(or header parameter) for the endpoint(except the only one endpoint) as "subscription key". Then check the subscription key in "inbound" policy of most endpoints.

For this feature, you can also create a ticket on azure feedback page to suggest azure develop team add it.

Answer 2

Here is the approach that we followed and it worked for us.

1. At API Level set the Subscription Required as false which tells the APIM to not reject APIs that don't have a subscription key

2. Check the Subscription value at particular API endpoint by creating the Operation level policy. In your policy you'd need to check the context.Subscription variable for if the request is linked to a subscription (https://learn.microsoft.com/en-us/azure/api-management/api-management-policy-expressions#ContextVariables). APIM itself does all the parsing of the Subscription value before your policy is called. If the valid subscription value has been passed with the API request, its details would be set and available in context.Subscription variable. In the policy, the variable's value can be checked. If it is set, it means client passed the valid subscription otherwise the subscription is invalid or not passed. Operation level policy can have this condition :

   <inbound>
   <base />
   <set-variable name="subscriptionIdValue" value="@(context.Subscription is null ? "blank" : context.Subscription.Id)" />
   <choose>
       <when condition="@( context.Variables.GetValueOrDefault<string>("subscriptionIdValue") == "blank" )">
       <return-response>
           <set-status code="401" reason="Unauthorized" />
           <set-header name="Content-Type" exists-action="override">
               <value>application/json</value>
           </set-header>
           <set-body>{ "statusCode": 401, "message": "Access denied due to invalid subscription key. Make sure to provide a valid key for an active subscription." }</set-body>
       </return-response>
       </when>
   </choose>