MicrosoftDocs
Dangerous FAQ suggestion on APIM subscription keys
The linked section states: "Use subscription key authentication." as a potential solution to the question "How can I secure the connection between the API Management gateway and my backend services? ".
This is partly true, but also dangerous for the following reasons:
- Subscription keys are observable in logs so can be easily read by a malicious insider.
- There is developer unfettered access across APIM shared instances and so they are also vulnerable to insider attack.
- Sent in plaintext and vulnerable to MITM.
Therefore, they should not be used to secure access to backend webservices. What am I missing?
Document Details
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.
- ID: b45736d2-b0f4-05c3-8e2f-fde88f53b61a
- Version Independent ID: f6c4d89a-1cc5-3e2a-6a3c-3b292cecead7
- Content: Azure API Management FAQs
- Content Source: articles/api-management/api-management-faq.yml
- Service: api-management
- GitHub Login: @dlepow
- Microsoft Alias: danlep
Thank you for your feedback! We will review and update as appropriate.
@garthoid - Thanks for the feedback on this article. You are correct that a subscription key by itself is not sufficient, but is often used by customers in conjunction with other mechanisms. See discussion here. I'll submit an update soon to the article to clarify the recommendation.
