Azure API management: Open API (no subscription key) still gives error 401

Question

I'd like to setup an open API, i.e. one that doesn't require a subscription key.

I have created the API and associated it to a new product which has "requires subscription" unchecked and is published. However, any call to this API results in dreaded 401 "Access denied due to missing subscription key. Make sure to include subscription key when making requests to an API."

What am I missing?

Before marking this as duplicate: I have searched similar issues:

• Azure Api management Is it possible to disable Subscription Key
• Is it possible to make a call to an Azure API Rest url without a subscription key?
• Access to API through Azure API Management without setting Ocp-Apim-Subscription-Key
• Azure API Manager expose all to public, get rid of Ocp-Apim-Subscription-Key

and they all seem to indicate that it's sufficient that the API is part of a published product where "requires subscription" is unchecked. Obviously there must be something else since I'm in this case and I still get the 401...

Answer 1

You can use a <choose> policy to detect if the token is invalid and if so, return a 401 response.

As per RFC 6750 which describes how bearer tokens should be used, API Management also returns a WWW-Authenticate header with the 401 response. The WWW-Authenticate is intended to instruct a client on how to construct a properly authorized request.

For more details, you could refer to this article.