azureapiazure-api-managementazure-appserviceapi-security

SubscriptionKeyInvalid in Azure API Management for an endpoint in a product that does not require subscription?


I have a very strange issue with Azure API Management, that I don't seem to figure out...

We have an API operation that is part of an APIM API that is linked with a Product that does not require a subscription. The intention is that this API endpoint is publicly available for consumers, without requiring any subscription keys, headers, etc...

But, when I call the endpoint from a deployed web app in Azure App Service, I get a 401 back?!
So, the obvious thing is that something is misconfigured, but I cannot get my head around it...

When looking in Application Insights, linked to the APIM instance, this is the trace, I see:

App insights view

But in the following screenshot, I get a hint of the mismatch, though I don't understand how this happens... If I copy the full url to a browser private session, I get back a 200 with successful data.
But the root cause of the 401 is probably in the yellow box, where there is an API product dev-product-admin, which indeed requires a subscription (and has JWT token policies configured). So, what I need to find out now, is how I can make sure that APIM is linking my incoming request to the right product, which doesn't require a subscription. Any hints?

Wrong product


Solution

  • And two minutes after writing down the question, you get your own insight... I checked the code and I was adding a SubscriptionKey header to that specific call (because of a configuration issue). And that subscription key was obviously making the link to the specific Product (which indeed requires more authorization)