A subscription key is an API Management credential that lets a caller access APIs tied to a subscription. It is not the same as an Azure subscription, even though the name is easy to confuse. The key is usually issued to a developer, app, partner, or product subscriber and sent with requests to APIM. It helps the gateway identify and allow callers, apply product rules, and support rotation. Treat it like a secret because anyone with the key can call the protected API until it is revoked or changed.
APIM subscription key, API Management subscription key, Ocp-Apim-Subscription-Key, API gateway key
Difficulty
fundamentals
CLI mappings
5
Last verified
2026-05-26T20:46:05Z
Microsoft Learn
In Azure API Management, a subscription key is the primary or secondary key associated with an API Management subscription. Clients include a valid key in requests so the gateway can allow product or API access, enforce policies, and track usage.
In Azure architecture, a subscription key sits in the API Management data-plane access path. APIM validates the key before routing traffic to backend APIs when subscription access is required. Keys are associated with APIM subscriptions, products, APIs, users, and sometimes developer portal workflows. They coexist with stronger controls such as OAuth, client certificates, managed identity to backends, policies, quotas, rate limits, and private networking. Operators manage them through the portal, REST API, automation, and evidence logs. Azure CLI commonly supports adjacent APIM discovery, while key operations often use REST calls.
Why it matters
Subscription keys matter because they are often the first control between external callers and an API gateway. They enable product-based access, partner onboarding, usage tracking, and emergency revocation without changing backend code. They are also a risk: leaked keys can be reused until rotated, and keys alone do not prove user identity or enforce fine-grained authorization. For serious APIs, subscription keys should be paired with OAuth, rate limits, quotas, IP restrictions, logging, and backend authentication. Operators must know who owns each key, what product it unlocks, when it was last rotated, and how quickly it can be revoked. That separation keeps consumer accountability practical.
⌁
Where you see it
Signals, screens, and Azure surfaces where this term usually becomes operational.
Signal 01
In the API Management Subscriptions blade, primary and secondary keys appear under a subscription with owner, scope, state, creation details, and regeneration actions. for consumers.
Signal 02
In API request samples, clients send the subscription key through the configured Ocp-Apim-Subscription-Key header or query parameter expected by the gateway. during integration testing. safely.
Signal 03
In APIM gateway logs, invalid or missing subscription keys appear as authorization failures before the request reaches the backend service or product policies. during access troubleshooting.
✦
When this becomes relevant
Specific situations where this term helps solve real Azure design, operations, migration, security, reliability, cost, or governance problems.
Onboard a partner to a specific APIM product without granting access to unrelated APIs or backends.
Rotate a leaked key using primary and secondary keys while keeping approved clients online during cutover.
Measure and throttle traffic per consumer so one integration cannot consume the entire API gateway capacity.
Disable a compromised or inactive subscription quickly during incident response without redeploying backend services.
Support developer portal self-service for low-risk APIs while reserving OAuth or certificates for higher-risk operations.
◆
Real-world case studies
Different enterprise-style examples that show the term being used to hit measurable objectives.
Case study 01
Partner weather API gets accountable access
Scenario, objectives, solution, measured impact, and takeaway.
📌Scenario
A meteorology data provider exposed forecast APIs to dozens of shipping partners through API Management. Partners previously shared one gateway key, so traffic spikes could not be traced.
🎯Business/Technical Objectives
Issue separate access credentials for each partner product subscription.
Throttle excessive calls without affecting compliant partners.
Rotate keys quarterly without backend application deployments.
Create usage evidence for commercial account reviews.
✅Solution Using Subscription key
The API platform team created APIM products for standard and premium forecast tiers, then assigned each partner its own subscription key. Keys were delivered through a secure onboarding process and stored by partners in their secret managers. APIM policies enforced rate limits and quotas per subscription. CLI and az rest scripts inventoried products, subscription IDs, and nonsecret metadata for account managers, while key values were never written to reports. Primary and secondary key rotation procedures were tested with two pilot partners before the full rollout. Backend services trusted APIM through private networking and separate authentication.
📈Results & Business Impact
Unattributed traffic dropped from 100% of calls to less than 2% of legacy exceptions.
One runaway partner integration was throttled without affecting 41 other customers.
Quarterly key rotation completed with no reported shipping-planner downtime.
Usage reports supported a 17% revenue uplift from premium-tier renewals.
💡Key Takeaway for Glossary Readers
Subscription keys work best when each consumer has its own accountable credential, policy, and rotation path.
Case study 02
Food delivery platform contains leaked mobile test key
Scenario, objectives, solution, measured impact, and takeaway.
📌Scenario
A food delivery company discovered that a test APIM subscription key had been copied into a public mobile build. Unknown clients began calling menu and promotion APIs overnight.
🎯Business/Technical Objectives
Stop unauthorized traffic within minutes without shutting down production APIs.
Preserve evidence for security review without exposing key values in tickets.
Move legitimate testers to a new key with minimal disruption.
Add controls so test keys could not reach production products again.
✅Solution Using Subscription key
Incident responders used CLI to confirm the APIM instance, product, API list, and affected subscription ID. They used the APIM management REST API through az rest to regenerate the exposed key and disabled the old test subscription after testers moved to the secondary key. Logs captured timestamps, caller IP patterns, subscription IDs, and product names, but not secret values. The team split test and production products, added quota limits to test subscriptions, and required mobile builds to retrieve keys from a secure pipeline secret store. A post-incident check searched repositories and build logs for accidental key exposure.
📈Results & Business Impact
Unauthorized calls stopped 11 minutes after the incident commander approved regeneration.
No production partner subscriptions were interrupted during containment.
Promotion API traffic returned to baseline within 30 minutes.
Follow-up scanning found and removed four stale test keys from old build artifacts.
💡Key Takeaway for Glossary Readers
A subscription key rotation plan turns a leaked gateway credential from a prolonged outage into a controlled containment action.
Case study 03
Open-data portal separates student projects from enterprise clients
Scenario, objectives, solution, measured impact, and takeaway.
📌Scenario
A government open-data portal served both classroom projects and paid enterprise analytics clients. Shared APIM keys made it impossible to protect capacity during public hackathon events.
🎯Business/Technical Objectives
Give educators low-friction access while protecting enterprise service levels.
Limit burst traffic from classroom and hackathon projects.
Keep enterprise keys private and tied to named customer contacts.
Improve showback reporting for API operating costs.
✅Solution Using Subscription key
The portal team created separate APIM products for education, community, and enterprise tiers. Each tier used its own subscription keys, quotas, and rate limits. The developer portal issued education keys after email verification, while enterprise keys required approval and secure delivery. CLI scripts listed products and APIs for monthly governance review, and az rest automation exported subscription metadata without key values. Azure Monitor dashboards tracked request count, throttling, and backend latency by product tier. Backend data services stayed behind private endpoints, with APIM as the controlled public gateway.
📈Results & Business Impact
Hackathon traffic was capped without impacting enterprise clients during three public events.
Enterprise p95 API latency stayed below 180 milliseconds during peak classroom usage.
Showback reports attributed 72% of API cost to the correct customer or program tier.
Support tickets about missing or invalid keys fell by 49% after developer portal guidance improved.
💡Key Takeaway for Glossary Readers
Subscription keys help APIM products balance openness and control when different audiences share the same API platform.
Why use Azure CLI for this?
Azure CLI is useful for subscription keys mainly through APIM discovery and secure REST automation. Engineers can list the APIM service, products, APIs, and resource IDs, then call APIM management REST operations for subscription review or key regeneration in a controlled script. That is better than copying secrets from the portal during incidents. CLI also supports evidence collection: which APIM instance, product, user, and policy were involved before a key was rotated or revoked. Because key values are sensitive, command output must be tightly controlled, and scripts should avoid logging primary or secondary keys. That repeatability matters most when several partners rotate on different schedules.
CLI use cases
Show the APIM instance and confirm the resource ID before performing any subscription-key operation.
List products and APIs to verify which access package a subscriber should receive.
Use az rest to inspect a subscription record when automation needs APIM management API coverage.
Regenerate a primary or secondary key during an approved rotation while recording nonsecret evidence.
Inventory APIM products and subscriptions for inactive partners, missing owners, or unusually broad API access.
Before you run CLI
Confirm tenant, Azure subscription ID, resource group, APIM service name, APIM subscription ID, and target product or API.
Treat key retrieval and regeneration as security-impacting because command output may expose usable credentials.
Verify caller permissions, change approval, client communication, and whether primary or secondary key rotation is planned.
Use secure output handling, avoid shell history leaks, and never paste keys into tickets, chat, screenshots, or build logs.
What output tells you
APIM service output confirms the gateway resource, SKU, location, identity, and management endpoint being targeted.
Product and API lists show which published surface a subscription key is intended to unlock.
Subscription REST output identifies scope, owner, state, and key metadata needed for access review or rotation planning.
Regeneration responses confirm the management operation succeeded, while logs should record IDs and timestamps without secret values.
Mapped Azure CLI commands
API Management subscription-key discovery commands
supports
az apim show --name <apim-name> --resource-group <resource-group>
az apimdiscoverIntegration
az apim product list --service-name <apim-name> --resource-group <resource-group>
az apim productdiscoverIntegration
az apim api list --service-name <apim-name> --resource-group <resource-group>
az apim apidiscoverIntegration
az rest --method get --uri https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<apim-name>/subscriptions/<sid>?api-version=2024-05-01
az restsecureIntegration
az rest --method post --uri https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<apim-name>/subscriptions/<sid>/regeneratePrimaryKey?api-version=2024-05-01
az restsecureIntegration
Architecture context
As an Azure architect, I treat subscription keys as gateway credentials, not as a complete security model. They fit well for developer onboarding, product access, metering, and low-friction partner integration, but sensitive APIs still need identity-aware authorization. The APIM product design, subscription scope, developer portal process, key storage, rotation policy, and logging pattern all matter. Backends should not trust the key alone; APIM should authenticate to backends separately through managed identity, certificates, or protected network paths. A mature architecture defines primary and secondary key rotation, emergency disablement, ownership metadata, and monitoring for abnormal usage by subscription. This keeps gateway identity separate from application-level authorization decisions.
Security
Security impact is direct because a subscription key is a bearer secret for API access. Anyone who obtains it can call the API within the subscription scope unless additional controls stop them. Keys should be stored in Key Vault or a secure secret manager, never embedded in client-side code, logs, emails, or screenshots. Rotation should use primary and secondary keys so clients can move without downtime. APIM policies should add OAuth, JWT validation, rate limits, quotas, and IP or network controls where risk requires them. Operators should monitor unusual usage and revoke or regenerate keys quickly after suspected exposure. Gateway traces should mask keys before they reach shared observability systems.
Cost
A subscription key is not separately billed, but it controls API traffic that can drive APIM capacity, backend compute, data transfer, and downstream transaction costs. A leaked key can create a cost incident through abuse or uncontrolled retries. A poorly scoped key can let one partner consume capacity intended for another. Cost controls should include APIM quotas, rate limits, product-level policies, analytics, owner tags, and alerting on unusual call volume. FinOps teams should review high-traffic subscriptions, inactive keys, and products without limits. Good key hygiene reduces both security exposure and surprise gateway or backend bills. Usage reports should be reviewed before increasing quotas or APIM capacity.
Reliability
Reliability impact is indirect but real. A missing, expired, regenerated, or misrouted subscription key can look like an API outage to a customer even when the backend is healthy. Poor rotation planning can break every client using the old key at once. Reliable operations use primary and secondary keys, communicate rotation windows, test clients before cutover, and keep emergency rollback steps. APIM should return clear 401 or 403 responses, while monitoring separates authentication failures from backend latency and gateway capacity. Product subscriptions should be documented so revocation does not accidentally disable unrelated partners. Client runbooks should state which key is active before regeneration begins.
Performance
Performance impact is mostly indirect. APIM key validation is normal gateway work, but the subscription design affects throttling, quota policy, caching, and backend load. A single shared key across many clients hides which caller causes latency or spikes. Missing or invalid keys create fast failures that may appear as client-side performance issues. Operators should watch request rate, response time, gateway capacity, backend latency, and throttling by subscription where telemetry supports it. Performance improves when each caller or application has its own subscription, policies match traffic patterns, and abnormal key usage can be isolated without punishing everyone. That clarity shortens incidents more than tuning the key check itself.
Operations
Operators manage subscription keys during partner onboarding, product changes, incident response, key rotation, developer portal support, and access reviews. They inspect APIM products, subscriptions, users, APIs, policies, analytics, and gateway logs. Because key retrieval and regeneration may use REST or portal flows, automation must protect output and avoid writing secrets to logs. Runbooks should define how to issue a key, verify request headers, rotate primary and secondary keys, revoke a compromised subscription, and notify owners. Operators also compare key usage with quotas, rate limits, and billing or showback reports. That discipline prevents emergency troubleshooting from becoming a credential leak. It also keeps ownership clear during partner escalations.
Common mistakes
Confusing an API Management subscription key with the Azure subscription that contains the APIM resource.
Putting a subscription key in browser JavaScript, mobile apps, screenshots, source control, or shared support tickets.
Regenerating the only key a partner uses without moving them to the secondary key first.
Using one shared subscription key for many clients, which hides abuse and makes throttling unfair.
Relying on keys alone for sensitive APIs that also need OAuth, authorization checks, or private network controls.