API products API

An API product consists of a list of API resources (URIs) and custom metadata required by the API provider. API products enable you to bundle and distribute your APIs to multiple developer groups simultaneously without having to modify code. API products provide the basis for access control in Apigee, as they provide control over the set of API resources that apps are allowed to consume. As part of the app provisioning workflow, developers select from a list of API products. This selection of an API product is usually made in the context of a developer portal. The developer app is provisioned with a key and secret (generated by and stored on Apigee Edge) that enable the app to access the URIs bundled in the selected API product. To access API resources bundled in an API product, the app must present the API key issued by Apigee Edge. Apigee Edge will resolve the key that is presented against an API product, and then check associated API resources and quota settings. The API supports multiple API products per app key, which enables app developers to consume multiple API products without requiring multiple keys. Also, a key can be 'promoted' from one API product to another. This enables you to promote developers from 'free' to 'premium' API products seamlessly and without user interruption. For more information, see What is an API product?.

Resource Types

URIs are relative to https://api.enterprise.apigee.com/v1, unless otherwise noted.

APIProduct

For more information, see APIProduct.
MethodEndpointDescription
post/organizations/{org_name}/apiproducts

Creates an API product in an organization. You create API products after you have proxied backend services using API proxies.

An API product is a collection of API resources combined with quota settings and metadata that you can use to deliver customized and productized API bundles to your developer community. This metadata may include the scope, environments, API proxies, and extensible profile.

API products enable you to repackage APIs on-the-fly, without having to do any additional coding or configuration.

Apigee recommends that you start with a simple API product including only required elements. Then provision credentials to apps to enable them to start testing your APIs. Once you have authentication and authorization working against a simple API product, you can iterate to create finer-grained API products, defining different sets of API resources for each API product.

Warning:

  • If you don't specify an API proxy in the request body, any app associated with the API product can make calls to any API in your entire organization.
  • If you don't specify an environment in the request body, the API product allows access to all environments.
    For more information, see Manage API products.

Ensure optimal API product and app security

An organization-level property, features.keymanagement.disable.unbounded.permissions, strengthens the security of API products in verifying API calls. When the property is set to true, the following features are enforced.

  • App creation: When creating a developer or company app, the Edge API requires that the app be associated with an API product. (The Edge UI already enforces this.)

  • API product configuration: To create or update an API product, the API product must include at least one API proxy or a resource path in its definition.

  • Runtime security: API calls are rejected by an API product in the following situations:

    • An API product doesn't include at least one API proxy or resource path.

    • If the flow.resource.name variable in the message doesn't include a resource path that the API product can evaluate.

    • If the app making the API call isn't associated with an API product.

Note: Setting this organization property requires system administrator privileges. Edge for Private Cloud system administrators can add this property when updating organization properties. If you are an Edge for Public Cloud user, contact Apigee Support to set the organization property.

delete/organizations/{org_name}/apiproducts/{apiproduct_name}

Deletes an API product from an organization.

Deleting an API product will cause app requests to the resource URIs defined in the API product to fail. Ensure that you create a new API product to serve existing apps, unless your intention is to disable access to the resources defined in the API product.

The API product name required in the request URL is the internal name of the product, not the display name. While they may be the same, it depends on whether the API product was created via the UI or API. View the list of API products to verify the internal name.

get/organizations/{org_name}/apiproducts/{apiproduct_name}

Gets configuration details for an API product.

The API product name required in the request URL is the internal name of the product, not the display name. While they may be the same, it depends on whether the API product was created via the UI or API. View the list of API products to verify the internal name.

With Apigee Edge for Public Cloud:

  • The limit on the number of entities returned is 100.
  • Paginate the list of API products returned using the startkey and count query parameters.
put/organizations/{org_name}/apiproducts/{apiproduct_name}

Updates an existing API product.

Note: You must include all required values, whether or not you are updating them, as well as any optional values that you are updating.

The API product name required in the request URL is the internal name of the product, not the display name. While they may be the same, it depends on whether the API product was created via UI or API. View the list of API products to verify the internal name.

Apigee Edge for Public Cloud only: OAuth access tokens and Key Management Service (KMS) entities (apps, developers, and API products) are cached for 180 seconds (current default). Any custom attributes associated with these entities also get cached for at least 180 seconds after the entity is accessed at runtime. Therefore, an ExpiresIn element on the OAuthV2 policy won't be able to expire an access token in less than 180 seconds.

APIProductRequest

For more information, see APIProductRequest.
MethodEndpointDescription
post/organizations/{org_name}/apiproducts

Creates an API product in an organization. You create API products after you have proxied backend services using API proxies.

An API product is a collection of API resources combined with quota settings and metadata that you can use to deliver customized and productized API bundles to your developer community. This metadata may include the scope, environments, API proxies, and extensible profile.

API products enable you to repackage APIs on-the-fly, without having to do any additional coding or configuration.

Apigee recommends that you start with a simple API product including only required elements. Then provision credentials to apps to enable them to start testing your APIs. Once you have authentication and authorization working against a simple API product, you can iterate to create finer-grained API products, defining different sets of API resources for each API product.

Warning:

  • If you don't specify an API proxy in the request body, any app associated with the API product can make calls to any API in your entire organization.
  • If you don't specify an environment in the request body, the API product allows access to all environments.
    For more information, see Manage API products.

Ensure optimal API product and app security

An organization-level property, features.keymanagement.disable.unbounded.permissions, strengthens the security of API products in verifying API calls. When the property is set to true, the following features are enforced.

  • App creation: When creating a developer or company app, the Edge API requires that the app be associated with an API product. (The Edge UI already enforces this.)

  • API product configuration: To create or update an API product, the API product must include at least one API proxy or a resource path in its definition.

  • Runtime security: API calls are rejected by an API product in the following situations:

    • An API product doesn't include at least one API proxy or resource path.

    • If the flow.resource.name variable in the message doesn't include a resource path that the API product can evaluate.

    • If the app making the API call isn't associated with an API product.

Note: Setting this organization property requires system administrator privileges. Edge for Private Cloud system administrators can add this property when updating organization properties. If you are an Edge for Public Cloud user, contact Apigee Support to set the organization property.

put/organizations/{org_name}/apiproducts/{apiproduct_name}

Updates an existing API product.

Note: You must include all required values, whether or not you are updating them, as well as any optional values that you are updating.

The API product name required in the request URL is the internal name of the product, not the display name. While they may be the same, it depends on whether the API product was created via UI or API. View the list of API products to verify the internal name.

Apigee Edge for Public Cloud only: OAuth access tokens and Key Management Service (KMS) entities (apps, developers, and API products) are cached for 180 seconds (current default). Any custom attributes associated with these entities also get cached for at least 180 seconds after the entity is accessed at runtime. Therefore, an ExpiresIn element on the OAuthV2 policy won't be able to expire an access token in less than 180 seconds.

Attribute

For more information, see Attribute.
MethodEndpointDescription
post/organizations/{org_name}/apiproducts

Creates an API product in an organization. You create API products after you have proxied backend services using API proxies.

An API product is a collection of API resources combined with quota settings and metadata that you can use to deliver customized and productized API bundles to your developer community. This metadata may include the scope, environments, API proxies, and extensible profile.

API products enable you to repackage APIs on-the-fly, without having to do any additional coding or configuration.

Apigee recommends that you start with a simple API product including only required elements. Then provision credentials to apps to enable them to start testing your APIs. Once you have authentication and authorization working against a simple API product, you can iterate to create finer-grained API products, defining different sets of API resources for each API product.

Warning:

  • If you don't specify an API proxy in the request body, any app associated with the API product can make calls to any API in your entire organization.
  • If you don't specify an environment in the request body, the API product allows access to all environments.
    For more information, see Manage API products.

Ensure optimal API product and app security

An organization-level property, features.keymanagement.disable.unbounded.permissions, strengthens the security of API products in verifying API calls. When the property is set to true, the following features are enforced.

  • App creation: When creating a developer or company app, the Edge API requires that the app be associated with an API product. (The Edge UI already enforces this.)

  • API product configuration: To create or update an API product, the API product must include at least one API proxy or a resource path in its definition.

  • Runtime security: API calls are rejected by an API product in the following situations:

    • An API product doesn't include at least one API proxy or resource path.

    • If the flow.resource.name variable in the message doesn't include a resource path that the API product can evaluate.

    • If the app making the API call isn't associated with an API product.

Note: Setting this organization property requires system administrator privileges. Edge for Private Cloud system administrators can add this property when updating organization properties. If you are an Edge for Public Cloud user, contact Apigee Support to set the organization property.

delete/organizations/{org_name}/apiproducts/{apiproduct_name}

Deletes an API product from an organization.

Deleting an API product will cause app requests to the resource URIs defined in the API product to fail. Ensure that you create a new API product to serve existing apps, unless your intention is to disable access to the resources defined in the API product.

The API product name required in the request URL is the internal name of the product, not the display name. While they may be the same, it depends on whether the API product was created via the UI or API. View the list of API products to verify the internal name.

get/organizations/{org_name}/apiproducts/{apiproduct_name}

Gets configuration details for an API product.

The API product name required in the request URL is the internal name of the product, not the display name. While they may be the same, it depends on whether the API product was created via the UI or API. View the list of API products to verify the internal name.

With Apigee Edge for Public Cloud:

  • The limit on the number of entities returned is 100.
  • Paginate the list of API products returned using the startkey and count query parameters.
put/organizations/{org_name}/apiproducts/{apiproduct_name}

Updates an existing API product.

Note: You must include all required values, whether or not you are updating them, as well as any optional values that you are updating.

The API product name required in the request URL is the internal name of the product, not the display name. While they may be the same, it depends on whether the API product was created via UI or API. View the list of API products to verify the internal name.

Apigee Edge for Public Cloud only: OAuth access tokens and Key Management Service (KMS) entities (apps, developers, and API products) are cached for 180 seconds (current default). Any custom attributes associated with these entities also get cached for at least 180 seconds after the entity is accessed at runtime. Therefore, an ExpiresIn element on the OAuthV2 policy won't be able to expire an access token in less than 180 seconds.

get/organizations/{org_name}/apiproducts/{apiproduct_name}/attributes

Lists all API product attributes.

post/organizations/{org_name}/apiproducts/{apiproduct_name}/attributes

Updates or creates API product attributes. This API replaces the current list of attributes with the attributes specified in the request body. In this way, you can update existing attributes, add new attributes, or delete existing attributes by omitting them from the request body.

Apigee Edge for Public Cloud only: OAuth access tokens and Key Management Service (KMS) entities (apps, developers, and API products) are cached for 180 seconds (current default). Any custom attributes associated with these entities also get cached for at least 180 seconds after the entity is accessed at runtime. Therefore, an ExpiresIn element on the OAuthV2 policy won't be able to expire an access token in less than 180 seconds.

delete/organizations/{org_name}/apiproducts/{apiproduct_name}/attributes/{attribute_name}

Deletes an API product attribute.

get/organizations/{org_name}/apiproducts/{apiproduct_name}/attributes/{attribute_name}

Gets the value of an API product attribute.

post/organizations/{org_name}/apiproducts/{apiproduct_name}/attributes/{attribute_name}

Updates the value of an API product attribute.

Apigee Edge for Public Cloud only: OAuth access tokens and Key Management Service (KMS) entities (apps, developers, and API products) are cached for 180 seconds (current default). Any custom attributes associated with these entities also get cached for at least 180 seconds after the entity is accessed at runtime. Therefore, an ExpiresIn element on the OAuthV2 policy won't be able to expire an access token in less than 180 seconds.

Attributes

For more information, see Attributes.
MethodEndpointDescription
get/organizations/{org_name}/apiproducts/{apiproduct_name}/attributes

Lists all API product attributes.

post/organizations/{org_name}/apiproducts/{apiproduct_name}/attributes

Updates or creates API product attributes. This API replaces the current list of attributes with the attributes specified in the request body. In this way, you can update existing attributes, add new attributes, or delete existing attributes by omitting them from the request body.

Apigee Edge for Public Cloud only: OAuth access tokens and Key Management Service (KMS) entities (apps, developers, and API products) are cached for 180 seconds (current default). Any custom attributes associated with these entities also get cached for at least 180 seconds after the entity is accessed at runtime. Therefore, an ExpiresIn element on the OAuthV2 policy won't be able to expire an access token in less than 180 seconds.