As your developers start working with your APIs, you might occasionally need to cut off or limit access. You may have an API that's malfunctioning, or a particular developer is having issues with their apps. In these cases, Apigee offers several ways to block access. The most common methods are revoking keys and refreshing end-user tokens.
A key is attached to every call an app makes. When you revoke a key, you block all the traffic from a specific app as all its calls are invalid.
A user token authorizes a specific user IP address. When you refresh user tokens, you reset that authorization for all users, forcing them to get a new token to make calls.
You can also limit access by controlling the traffic from apps. See Control traffic flow for more.
Controlling access using keys
Keys are automatically generated when you create an app. Each app is assigned a key and secret key. Together, these keys act like a username/password combo that authorizes an app to access your resources. When an application makes a request, Apigee inspects it to verify that the API key matches the resource that the app is requesting, and checks the API product definitions associated with API key to see whether the resource is permitted. If everything lines up, Apigee sends back the requested resource data.
As the API provider, you can decide who gets a key and whether that key is enabled or disabled. When you disable a key, every application that contains that key no longer has access to the resources in the associated API product. Depending on how you set up your apps, a disabled key can cut off entire sets of functionality, or completely disable the app. For example, if you find a serious error in an API resource, you can disable the key for its app, preventing errors in your developers' applications.
Controlling access to products
A product cannot be accessed without a key. The key is associated with a product when it is included into an app. You can revoke the keys associated with a product. When you revoke keys for a product, you are only revoking access to that product, not invalidating the keys. The keys can still access other products.
To revoke a key for a product
- On the Developer Apps summary page, select an app.
- On the App detail page, locate the product you want to disable in the Products Used table.
- Click Revoke in the Actions.
If the app is using a product with manual key approval, you'll see Key Request in this column. You will have the option to Approve or Delete the key request
