What fields does the Azure API Management connect form ask for?

A Name, Client ID, Secret, Tenant Id, Subscription Id, Resource Group, and Service ID. Client ID and Secret are write-only. Fill all of them, then run Test Connection.

Are the Azure Client ID and Secret stored in plain text?

No. Client ID and Secret are write-only fields. You enter them when you connect or update the gateway, and Apiable does not return them when you reopen the form.

Does Apiable fully support Azure API Management?

Core flow yes: connect, sync APIs, and deploy plan subscriptions as Azure products and subscriptions. Several per-key operations, including secret rotation, key enable and disable, on-gateway validation, and per-key usage, are not yet implemented.

Why can I not delete my Azure gateway?

Delete is disabled while a plan still uses the gateway. Repoint or remove those plans first, then delete the gateway from its row menu.

What Azure permissions does the service principal need?

Assign the built-in role API Management Service Contributor to the app registration, scoped to your API Management instance. That lets Apiable read APIs and manage products and subscriptions on that one service.

How do I get the Azure Client ID, Secret, and Tenant Id?

Create an app registration in Microsoft Entra ID. Its overview gives the Application (client) ID and Directory (tenant) ID. Add a client secret under Certificates and secrets, and copy its value once, when created.

Integrations

Connect Azure API Management

Connect Azure API Management in Apiable. Enter the connection name, Client ID, Secret, Tenant Id, Subscription Id, Resource Group, and Service ID, then run Test Connection.

You connect Azure API Management under Integrations → API Gateways. You give the connection a name and enter the service principal Client ID and Secret, plus your Tenant Id, Subscription Id, Resource Group, and Service ID. Then you run Test Connection. The core flow works on Azure today; some per-key operations do not yet.

Where do you connect Azure API Management?

Go to Integrations → API Gateways, choose + Add Gateway, and on Select an API Gateway Type pick Azure API Gateway, then connect.

Open Integrations → API Gateways.
Choose + Add Gateway.
On Select an API Gateway Type, select Azure API Gateway.
Confirm the selection to open the connect form. The gateway type is shown at the top.

What does each Azure field mean?

The connect form asks for a name and six Azure values. Client ID and Secret are write-only, so Apiable does not show them again after you save.

Field	What to enter
Name	A label for this connection inside Apiable. Required.
Client ID (write-only)	The application (client) ID of the Entra ID service principal Apiable authenticates as. Required.
Secret (write-only)	The client secret for that service principal. Required.
Tenant Id	Your Azure Entra ID tenant ID. Required.
Subscription Id	The Azure subscription that holds your API Management service. Required.
Resource Group	The resource group that holds the service. Required.
Service ID	The name of your API Management service. Required.

Apiable uses these to request an Azure access token and call the Azure Resource Manager API for your API Management service.

How do you set up a least-privilege service principal?

Create an app registration in Microsoft Entra ID, add a client secret, and assign it the built-in role API Management Service Contributor scoped to your API Management instance. That gives Apiable exactly the access it needs on one service, nothing wider.

In Microsoft Entra ID, go to App registrations and register a new application. Single tenant is enough, and no redirect URI is needed.
On the app's Overview, copy the Application (client) ID and the Directory (tenant) ID. These map to Client ID and Tenant Id in Apiable.
Under Certificates and secrets, add a new client secret. Copy its value immediately, since Azure shows it only once. This is the Secret in Apiable.
Open your API Management instance, go to Access control (IAM), and add a role assignment.
Assign the built-in role API Management Service Contributor, with the app registration as the member. Scope it to this API Management instance, not the whole subscription.

Apiable authenticates as this service principal, requests an Azure access token, and calls the Azure Resource Manager API for the one API Management service named by Service ID. With the role scoped to that instance, the credentials cannot reach other resources.

How do you test and save the Azure connection?

Fill in all seven fields, then click the refresh control labelled Test Connection. Apiable lists the APIs on your API Management service to confirm the credentials work. A green check reads passed; a red mark reads failed. Then click Save Changes.

Enter Name, Client ID, Secret, Tenant Id, Subscription Id, Resource Group, and Service ID. Test Connection stays disabled until all are filled.
Click the refresh control to run Test Connection. Apiable requests a token and lists the APIs on your service as the check.
Read the result: a green check means the test passed; a red mark means it failed.
Click Save Changes. The gateway appears on the API Gateways list with its Type, Created, and Edited times.

How do you point the Azure gateway at an Authorization Server?

Open the saved gateway and go to its Authorization tab. Choose the OAuth handler: Gateway-native only or Authorization Server. Picking Authorization Server reveals a picker of your connected servers.

The tab also shows a Level 0 API Key section and a Product-level governance pairing mode, then Save Changes. See Authorization Servers for how a bound server issues tokens.

Where do your Azure APIs appear after connecting?

They appear when you build a plan. Apiable lists the APIs on your API Management service, and you choose which the plan exposes. The connect form itself only sets up the connection.

When a consumer subscribes, Apiable creates an Azure product for the plan, attaches the plan's APIs to it, and creates an Azure subscription with primary and secondary keys. See APIs and coupling for picking APIs and how coupling works, and Plans for how plans sit on the gateway.

What does Apiable support on Azure API Management today?

The core flow: connect the gateway, sync its APIs, and deploy plan subscriptions as Azure products and subscriptions. Several per-key operations are not yet implemented on Azure.

These operations are not yet implemented on Azure:

Rotating a subscription's secret.
Enabling or disabling an individual API key.
Validating that a plan already exists on the gateway.
Reading usage per plan or per key from the gateway.

Troubleshooting

Match what you see to the fix.

What you see	What to do
Test Connection is greyed out	One of the seven fields is empty. Fill Name, Client ID, Secret, Tenant Id, Subscription Id, Resource Group, and Service ID.
Test Connection shows a red mark and failed	Apiable could not list APIs on your service. Check the Client ID and Secret, that the service principal has rights on the service, and that Subscription Id, Resource Group, and Service ID are correct.
The Secret field looks empty when you reopen the gateway	Secret and Client ID are write-only, so they are not returned to the form. Re-enter them if you need to test or save again.
Banner: your account does not have a sufficient role to manage gateway integrations	Your role cannot create or edit gateways. Ask an admin for the gateway management role, then reopen the form.
The Azure type shows Coming soon and cannot be picked	Your plan does not include that gateway type. The API Gateways page shows how many gateways your plan allows.
Delete is disabled on the gateway's row menu	A plan still uses this gateway. Repoint or remove those plans, then delete the gateway.
Secret rotation or per-key enable and disable does nothing	Those per-key operations are not yet implemented on Azure. Use Amazon API Gateway if you need them.

Where to next

API Gateways

What a gateway integration does and which types Apiable supports.

APIs and coupling

Pick which of this gateway's APIs a plan exposes.

Authorization Servers

Bind Keycloak or Auth0 so the gateway validates scoped OAuth2 tokens.

Connect Kong

The configure-along guide for a Kong connection, field by field.