Skip to main content Link Menu Expand (external link) Document Search Copy Copied

Calling API and testing Subscription Keys

Let’s add another API, the Colors API.


  • Create a new API with OpenAPI specification and import swagger from
  • This time we will choose to not provide API URL suffix. Without API URL suffix, there could be endpoint conflicts, you can always leverage rewrite-uri policy to convert a request URL form to the form expected by the backend web service.

    APIM Add Colors API

    APIM Add Colors API

  • We can test the newly-added API from the Test tab. Note the successful 200 response.

    APIM Test Colors API

  • Products can be configured after the API is initially created as well. On the Settings tab, set Products to include Starter and Unlimited, then press Save.

    APIM Colors API Add Products

  • Switch to the Developer portal and look at the Colors API.
  • Try the Get random color operation.
  • Notice the successful 200 response and the returned random color.

    APIM Developer Portal Colors API Try It

    APIM Developer Portal Colors API Try It

Rate limit

Azure API Management uses rate limiting to protect APIs from being overwhelmed and helps prevent exposure to DDoS attacks. As Azure API Management sits in between your API and their callers, it effectively governs access to your APIs.

We are going to use the Colors website to demonstrate how rate limiting is applied. The website displays 500 lights. Each light will randomly make a call to the Get random color API and then apply the returned color to the lights.

Colors Website

First, we need to enable CORS for the domain name of the frontend. To achieve this we have to do the following in APIM:

  • On the sidemenu, click on APIs, then select the All APIs option.
  • Inside the Inbound processing area you will see the cors policy, which we added in part 2 by pressing the Enable Cors button.
  • Click on the pencil icon next to that policy to edit it.

    APIM Policy CORS All APIs

  • Here we will see this form where we can add the domain name of our frontend or the * for all domains. Press Add allowed origin, enter the URL, then press Save.

    APIM Policy CORS All APIs

  • After enabling CORS in Azure API Management let’s go back to our frontend and follow these steps:

  • Click on the hamburger menu next to Colors in the top left corner.
  • Click on Config.
  • Replace the API URL according to this format: (e.g.
  • After setting the API URL correctly, press the hamburger menu again and go to Home.
  • Press Start to see how the frontend is calling the api. You should see a 401 response, indicating an auth error. This happens as our API requires a subscription, but we have not yet entered a subscription key.

    Colors Website APIM 401

  • The subscription keys can be fetched from the Developer Portal. Open the main Developer Portal page, then click on Profile in the top menu.

  • Prepare the url in a text editor: Concat the base url and the subscription key for the Starter and Unlimited, and update modify the url with your Azure API Management instance:
  • To see that Unlimited product has no rate limits:
    • Configure the Colors website to use the Unlimited URL.
    • Select Start.
    • Notice there is no rate limit - every light is randomly and continuously updated.

      Colors Website APIM Unlimited Product

  • To see that Starter product is limited to 5 calls per minute:
    • Configure the Colors website to use the Starter URL.
    • Select Start.
    • Notice that only 5 lights get colored.

      Colors Website APIM Starter Product

  • Try the same Starter URL directly in your web browser and notice the error status / message returned:

    APIM Colors API URL in Browser for Starter Product 429