Create an API product in the Apigee Edge management UI at https://enterprise.apigee.com. (You can obtain a free account at https://accounts.apigee.com/accounts/sign_up.) You must set up your products using the Edge management UI before you can make them available on your developer portal.
You can set up an API Products with no resources to make it easier to get up and running. You can create a single API Product for all of your developers by using wildcards. (In fact, this is a common use case for initial 'v1' API rollouts.) You can just create a single API Product and provide the base path along with a wildcard. The wildcard will be interpreted by the system at runtime as meaning that any requested resource in the URI tree below the wildcard is permitted.
This section explains a few key concepts related to API products. It's helpful to familiarize yourself with these concepts before you create a new API product.
An API product cannot be accessed without an API key. The key is automatically associated with an API product when the product is added to an app. Because an API product can be associated with multiple apps, there might be a large number of keys that provide access to that product.
Manual key approval
By default, all key requests to an API product are automatically approved. You can instead choose to approve keys manually. If you set this option in the Edge management UI when creating the product, you will have to approve key requests that come in from any app that adds the API product. See Creating apps to surface your API for more
You can also create a product that requires manual approval of keys, using the API Product API.
You can control the traffic flow for each API product by setting up a quota. Quotas can protect your backend servers for high traffic, and differentiate your product line. For example, you might want to bundle resources with a high quota as a premium product and use the same bundle with a lower quota as a basic product. A quota can help protect your servers from being overwhelmed if a product is particularly popular.
As an added level of security, you can define any OAuth scopes that must be present in access tokens sent through the product. When you're creating a product, you need to be aware of all the scopes your organization uses. The scopes you add to a product must match existing scopes or the product is not secure.
For more information about using scopes with Edge OAuth policies, see Authorize requests using OAuth 2.0.
To create a new API product:
- Login to the Edge management UI at https://enterprise.apigee.com. (You can obtain a free account at https://accounts.apigee.com/accounts/sign_up.)
- Click the Publish tab, then Products
- Click the (+) Product button.
- On the Add Products page, enter a name and description for the product.
- Select the test environment for internal-facing products or the production environment for public-facing products.
- Enable an access level option.
These options determine who can access the product. You can use these levels to control access at different stages of development.
Only products marked "Public" are available to developers in the Apigee developer portal.
For example, you can set a product to "Internal Only" while it's in development and then change access to "Public" when it's ready to release.
- Select a automatic key approval or manual key approval.
If you select automatic key approval, all key requests that come in from any app that uses this API product are automatically approved. If you select manual key approval, you will have to approve key requests that come in from any app that uses this API product.
- Enter a service limit number and select a time period (week, hour, minute, second).
This sets up a quota for your product that limits the number of calls the product accepts in a given time period.
- Enter a scope for the product (such as 'Read').
The scope should match one of the scopes you defined in your security policy. If they don't match your API may not be secure.
- In the API Resource Paths for Product section, select the API Proxy you want to add, select a version, and a Resource Path. You can select a specific path, or you can select all subpaths with a wildcard.
Wildcards (/** and /*) are supported. The double asterisk wildcard indicates that all sub-URIs are included. A single asterisk indicates that only URIs one level down are included.
- Click Import Resource Path, then Save.
The new product appears in the Products table.
- Save your product.
Before you can use an API product you need to configure the API proxies you want to use in the product so that they proxies perform the following functions:
- Support the client credentials form of OAuth 2.0 (aka “two-legged OAuth”), so it requires a valid OAuth token on every API call
- Enforces a quota on each application, restricting how many API calls may be made in a day, month, or year
To do this you need to attach two policies to the API proxies to set up API key validation and quotas:
- API Key Validation- to verify the API key for an API product defined in Apigee. It returns an error if the key is invalid and if it is valid, Apigee looks up the attributes from the API product.
- Rate Limit: Quota - to enforce a quota on the number of API calls your application makes based on the values set in the API product.
You can delete resources that you've added to a product. You might want to do this if a resource is malfunctioning or requires more development. When deleted, that API or resource is no longer part of the product. Any app that uses the product can no longer access the deleted resource. Deleted APIs are removed from the product but are not deleted from the system, so they can still be used by other products.
To delete a resource
- In the API Resource Paths for Product section of the product details window, locate the resource path you want to disable, then click Delete in the Actions column.