Developer apps API

download spec authorize

Developer apps API

Manage developers that register apps.

Resource Types

URIs are relative to https://api.enterprise.apigee.com/v1, unless otherwise noted.

APIProductRef

For more information, see APIProductRef.
MethodEndpointDescription
post/organizations/{org_name}/developers/{developer_email}/apps

Creates an app associated with a developer, associates the app with an API product, and auto-generates an API key for the app to use in calls to API proxies inside the API product.

The name is the unique ID of the app that you can use in Edge API calls. The DisplayName (set with an attribute) is what appears in the Edge UI. If you don't provide a DisplayName, the name is used.

The keyExpiresIn property sets the expiration on the API key. If you don't set a value or set the value to -1, the API key never expires.

Ensure optimal API product and app security

An organization-level property, features.keymanagement.disable.unbounded.permissions, strengthens the security of API products in verifying API calls. When the property is set to true, the following features are enforced.

  • App creation: When creating a developer or company app, the Edge API requires that the app be associated with an API product. (The Edge UI already enforces this.)

  • API product configuration: To create or update an API product, the API product must include at least one API proxy or a resource path in its definition.

  • Runtime security: API calls are rejected by an API product in the following situations:

    • An API product doesn't include at least one API proxy or resource path.

    • If the flow.resource.name variable in the message doesn't include a resource path that the API product can evaluate.

    • If the app making the API call isn't associated with an API product.

Note: Setting this organization property requires system administrator privileges. Edge for Private Cloud system administrators can add this property when updating organization properties. If you are an Edge for Public Cloud user, contact Apigee Support to set the organization property.

delete/organizations/{org_name}/developers/{developer_email}/apps/{app_name}

Deletes a developer app.

With Apigee Edge for Public Cloud, deletion of the developer app and associated artifacts happens asynchronously. The developer app is deleted immediately, but the resources associated with that developer app, such as app keys or access tokens, may take anywhere from a few seconds to a few minutes to be automatically deleted.

get/organizations/{org_name}/developers/{developer_email}/apps/{app_name}

Gets the profile of a specific developer app.

post/organizations/{org_name}/developers/{developer_email}/apps/{app_name}

Approves, revokes, or generates an API key for a developer app.

To approve or revoke the API key for a developer app, set status to approve or revoke in the request body.

Note: As a convenience, you can call the API with the action query parameter set to approve or revoke (with no request body) and set the Content-type header to application/octet-stream. In this case, the HTTP status code for success is: 204 No Content

To generate a new consumer key and consumer secret for the developer app, pass the required details, such as API products, in the request body. Rather than replace an existing key, the API generates a new key.

For example, if you're using API key rotation, you can generate new keys with expiration times that overlap keys that will be out of rotation when they expire. You might also generate a new key/secret if the security of the original key/secret is compromised. After the new API key is generated, multiple key pairs will be associated with a single app. Each key pair has an independent status (revoked or approved) and an independent expiration time. Any non-expired, approved key can be used in an API call. You should revoke an API key that has been compromised.

Note: You must include all current attribute and callback values in the payload; otherwise, the existing values are removed.

If you want to set the consumer key and consumer secret rather than having Edge generate them randomly, see Import existing consumer keys and secrets. (However, that API does not let you set an expiration time.)

put/organizations/{org_name}/developers/{developer_email}/apps/{app_name}

Updates an existing developer app.

You can add an app to an API product with this API, which automatically generates an API key for the app to use when calling APIs in the product. (Alternatively, you can add an API product to an existing key.)

Note: You must include all current attribute, API product, and callback values in the payload along with any changes you want to make; otherwise, the existing values are removed. To display the current values, get the developer app profile. You cannot update the scopes associated with the app by using this API. Instead, use Update app scope API.

Apigee Edge for Public Cloud only: OAuth access tokens and Key Management Service (KMS) entities (apps, developers, and API products) are cached for 180 seconds (current default). Any custom attributes associated with these entities also get cached for at least 180 seconds after the entity is accessed at runtime. Therefore, an ExpiresIn element on the OAuthV2 policy won't be able to expire an access token in less than 180 seconds.

Attribute

For more information, see Attribute.
MethodEndpointDescription
post/organizations/{org_name}/developers/{developer_email}/apps

Creates an app associated with a developer, associates the app with an API product, and auto-generates an API key for the app to use in calls to API proxies inside the API product.

The name is the unique ID of the app that you can use in Edge API calls. The DisplayName (set with an attribute) is what appears in the Edge UI. If you don't provide a DisplayName, the name is used.

The keyExpiresIn property sets the expiration on the API key. If you don't set a value or set the value to -1, the API key never expires.

Ensure optimal API product and app security

An organization-level property, features.keymanagement.disable.unbounded.permissions, strengthens the security of API products in verifying API calls. When the property is set to true, the following features are enforced.

  • App creation: When creating a developer or company app, the Edge API requires that the app be associated with an API product. (The Edge UI already enforces this.)

  • API product configuration: To create or update an API product, the API product must include at least one API proxy or a resource path in its definition.

  • Runtime security: API calls are rejected by an API product in the following situations:

    • An API product doesn't include at least one API proxy or resource path.

    • If the flow.resource.name variable in the message doesn't include a resource path that the API product can evaluate.

    • If the app making the API call isn't associated with an API product.

Note: Setting this organization property requires system administrator privileges. Edge for Private Cloud system administrators can add this property when updating organization properties. If you are an Edge for Public Cloud user, contact Apigee Support to set the organization property.

delete/organizations/{org_name}/developers/{developer_email}/apps/{app_name}

Deletes a developer app.

With Apigee Edge for Public Cloud, deletion of the developer app and associated artifacts happens asynchronously. The developer app is deleted immediately, but the resources associated with that developer app, such as app keys or access tokens, may take anywhere from a few seconds to a few minutes to be automatically deleted.

get/organizations/{org_name}/developers/{developer_email}/apps/{app_name}

Gets the profile of a specific developer app.

post/organizations/{org_name}/developers/{developer_email}/apps/{app_name}

Approves, revokes, or generates an API key for a developer app.

To approve or revoke the API key for a developer app, set status to approve or revoke in the request body.

Note: As a convenience, you can call the API with the action query parameter set to approve or revoke (with no request body) and set the Content-type header to application/octet-stream. In this case, the HTTP status code for success is: 204 No Content

To generate a new consumer key and consumer secret for the developer app, pass the required details, such as API products, in the request body. Rather than replace an existing key, the API generates a new key.

For example, if you're using API key rotation, you can generate new keys with expiration times that overlap keys that will be out of rotation when they expire. You might also generate a new key/secret if the security of the original key/secret is compromised. After the new API key is generated, multiple key pairs will be associated with a single app. Each key pair has an independent status (revoked or approved) and an independent expiration time. Any non-expired, approved key can be used in an API call. You should revoke an API key that has been compromised.

Note: You must include all current attribute and callback values in the payload; otherwise, the existing values are removed.

If you want to set the consumer key and consumer secret rather than having Edge generate them randomly, see Import existing consumer keys and secrets. (However, that API does not let you set an expiration time.)

put/organizations/{org_name}/developers/{developer_email}/apps/{app_name}

Updates an existing developer app.

You can add an app to an API product with this API, which automatically generates an API key for the app to use when calling APIs in the product. (Alternatively, you can add an API product to an existing key.)

Note: You must include all current attribute, API product, and callback values in the payload along with any changes you want to make; otherwise, the existing values are removed. To display the current values, get the developer app profile. You cannot update the scopes associated with the app by using this API. Instead, use Update app scope API.

Apigee Edge for Public Cloud only: OAuth access tokens and Key Management Service (KMS) entities (apps, developers, and API products) are cached for 180 seconds (current default). Any custom attributes associated with these entities also get cached for at least 180 seconds after the entity is accessed at runtime. Therefore, an ExpiresIn element on the OAuthV2 policy won't be able to expire an access token in less than 180 seconds.

get/organizations/{org_name}/developers/{developer_email}/apps/{app_name}/attributes

Gets developer app attributes and their values.

post/organizations/{org_name}/developers/{developer_email}/apps/{app_name}/attributes

Updates app attributes.

This API replaces the current list of attributes with the attributes specified in the request body. This lets you update existing attributes, add new attributes, or delete existing attributes by omitting them from the request body.

Apigee Edge for Public Cloud only: OAuth access tokens and Key Management Service (KMS) entities (apps, developers, and API products) are cached for 180 seconds (current default). Any custom attributes associated with these entities also get cached for at least 180 seconds after the entity is accessed at runtime. Therefore, an ExpiresIn element on the OAuthV2 policy won't be able to expire an access token in less than 180 seconds.

delete/organizations/{org_name}/developers/{developer_email}/apps/{app_name}/attributes/{attribute_name}

Deletes a developer app attribute.

get/organizations/{org_name}/developers/{developer_email}/apps/{app_name}/attributes/{attribute_name}

Gets a developer app attribute.

post/organizations/{org_name}/developers/{developer_email}/apps/{app_name}/attributes/{attribute_name}

Updates a developer app attribute.

Apigee Edge for Public Cloud only: OAuth access tokens and Key Management Service (KMS) entities (apps, developers, and API products) are cached for 180 seconds (current default). Any custom attributes associated with these entities also get cached for at least 180 seconds after the entity is accessed at runtime. Therefore, an ExpiresIn element on the OAuthV2 policy won't be able to expire an access token in less than 180 seconds.

Attributes

For more information, see Attributes.
MethodEndpointDescription
get/organizations/{org_name}/developers/{developer_email}/apps/{app_name}/attributes

Gets developer app attributes and their values.

post/organizations/{org_name}/developers/{developer_email}/apps/{app_name}/attributes

Updates app attributes.

This API replaces the current list of attributes with the attributes specified in the request body. This lets you update existing attributes, add new attributes, or delete existing attributes by omitting them from the request body.

Apigee Edge for Public Cloud only: OAuth access tokens and Key Management Service (KMS) entities (apps, developers, and API products) are cached for 180 seconds (current default). Any custom attributes associated with these entities also get cached for at least 180 seconds after the entity is accessed at runtime. Therefore, an ExpiresIn element on the OAuthV2 policy won't be able to expire an access token in less than 180 seconds.

DeveloperApp

For more information, see DeveloperApp.
MethodEndpointDescription
post/organizations/{org_name}/developers/{developer_email}/apps

Creates an app associated with a developer, associates the app with an API product, and auto-generates an API key for the app to use in calls to API proxies inside the API product.

The name is the unique ID of the app that you can use in Edge API calls. The DisplayName (set with an attribute) is what appears in the Edge UI. If you don't provide a DisplayName, the name is used.

The keyExpiresIn property sets the expiration on the API key. If you don't set a value or set the value to -1, the API key never expires.

Ensure optimal API product and app security

An organization-level property, features.keymanagement.disable.unbounded.permissions, strengthens the security of API products in verifying API calls. When the property is set to true, the following features are enforced.

  • App creation: When creating a developer or company app, the Edge API requires that the app be associated with an API product. (The Edge UI already enforces this.)

  • API product configuration: To create or update an API product, the API product must include at least one API proxy or a resource path in its definition.

  • Runtime security: API calls are rejected by an API product in the following situations:

    • An API product doesn't include at least one API proxy or resource path.

    • If the flow.resource.name variable in the message doesn't include a resource path that the API product can evaluate.

    • If the app making the API call isn't associated with an API product.

Note: Setting this organization property requires system administrator privileges. Edge for Private Cloud system administrators can add this property when updating organization properties. If you are an Edge for Public Cloud user, contact Apigee Support to set the organization property.

delete/organizations/{org_name}/developers/{developer_email}/apps/{app_name}

Deletes a developer app.

With Apigee Edge for Public Cloud, deletion of the developer app and associated artifacts happens asynchronously. The developer app is deleted immediately, but the resources associated with that developer app, such as app keys or access tokens, may take anywhere from a few seconds to a few minutes to be automatically deleted.

get/organizations/{org_name}/developers/{developer_email}/apps/{app_name}

Gets the profile of a specific developer app.

post/organizations/{org_name}/developers/{developer_email}/apps/{app_name}

Approves, revokes, or generates an API key for a developer app.

To approve or revoke the API key for a developer app, set status to approve or revoke in the request body.

Note: As a convenience, you can call the API with the action query parameter set to approve or revoke (with no request body) and set the Content-type header to application/octet-stream. In this case, the HTTP status code for success is: 204 No Content

To generate a new consumer key and consumer secret for the developer app, pass the required details, such as API products, in the request body. Rather than replace an existing key, the API generates a new key.

For example, if you're using API key rotation, you can generate new keys with expiration times that overlap keys that will be out of rotation when they expire. You might also generate a new key/secret if the security of the original key/secret is compromised. After the new API key is generated, multiple key pairs will be associated with a single app. Each key pair has an independent status (revoked or approved) and an independent expiration time. Any non-expired, approved key can be used in an API call. You should revoke an API key that has been compromised.

Note: You must include all current attribute and callback values in the payload; otherwise, the existing values are removed.

If you want to set the consumer key and consumer secret rather than having Edge generate them randomly, see Import existing consumer keys and secrets. (However, that API does not let you set an expiration time.)

put/organizations/{org_name}/developers/{developer_email}/apps/{app_name}

Updates an existing developer app.

You can add an app to an API product with this API, which automatically generates an API key for the app to use when calling APIs in the product. (Alternatively, you can add an API product to an existing key.)

Note: You must include all current attribute, API product, and callback values in the payload along with any changes you want to make; otherwise, the existing values are removed. To display the current values, get the developer app profile. You cannot update the scopes associated with the app by using this API. Instead, use Update app scope API.

Apigee Edge for Public Cloud only: OAuth access tokens and Key Management Service (KMS) entities (apps, developers, and API products) are cached for 180 seconds (current default). Any custom attributes associated with these entities also get cached for at least 180 seconds after the entity is accessed at runtime. Therefore, an ExpiresIn element on the OAuthV2 policy won't be able to expire an access token in less than 180 seconds.

DeveloperAppRequest

For more information, see DeveloperAppRequest.
MethodEndpointDescription
post/organizations/{org_name}/developers/{developer_email}/apps

Creates an app associated with a developer, associates the app with an API product, and auto-generates an API key for the app to use in calls to API proxies inside the API product.

The name is the unique ID of the app that you can use in Edge API calls. The DisplayName (set with an attribute) is what appears in the Edge UI. If you don't provide a DisplayName, the name is used.

The keyExpiresIn property sets the expiration on the API key. If you don't set a value or set the value to -1, the API key never expires.

Ensure optimal API product and app security

An organization-level property, features.keymanagement.disable.unbounded.permissions, strengthens the security of API products in verifying API calls. When the property is set to true, the following features are enforced.

  • App creation: When creating a developer or company app, the Edge API requires that the app be associated with an API product. (The Edge UI already enforces this.)

  • API product configuration: To create or update an API product, the API product must include at least one API proxy or a resource path in its definition.

  • Runtime security: API calls are rejected by an API product in the following situations:

    • An API product doesn't include at least one API proxy or resource path.

    • If the flow.resource.name variable in the message doesn't include a resource path that the API product can evaluate.

    • If the app making the API call isn't associated with an API product.

Note: Setting this organization property requires system administrator privileges. Edge for Private Cloud system administrators can add this property when updating organization properties. If you are an Edge for Public Cloud user, contact Apigee Support to set the organization property.

put/organizations/{org_name}/developers/{developer_email}/apps/{app_name}

Updates an existing developer app.

You can add an app to an API product with this API, which automatically generates an API key for the app to use when calling APIs in the product. (Alternatively, you can add an API product to an existing key.)

Note: You must include all current attribute, API product, and callback values in the payload along with any changes you want to make; otherwise, the existing values are removed. To display the current values, get the developer app profile. You cannot update the scopes associated with the app by using this API. Instead, use Update app scope API.

Apigee Edge for Public Cloud only: OAuth access tokens and Key Management Service (KMS) entities (apps, developers, and API products) are cached for 180 seconds (current default). Any custom attributes associated with these entities also get cached for at least 180 seconds after the entity is accessed at runtime. Therefore, an ExpiresIn element on the OAuthV2 policy won't be able to expire an access token in less than 180 seconds.