How Azure API Management (APIM) Stores Secrets Securely

Introduction

Azure API Management (APIM) allows you to manage APIs securely, including storing sensitive information such as OAuth client secrets, subscription keys, API keys, and connection strings. This guide explains how APIM handles secrets internally and via Azure Key Vault for enterprise-level security.

1. Internal Secret Storage in APIM

By default, APIM stores secrets internally:

• Secrets are encrypted at rest using Azure encryption standards.
• Client secrets are never exposed to API consumers, logs, or frontend apps.
• Secrets are only used at runtime by APIM to request tokens from Azure AD or access protected resources.

2. Using Azure Key Vault with APIM

For higher security or enterprise compliance, APIM can reference secrets stored in Azure Key Vault:

• APIM uses Managed Identity to access Key Vault securely.
• Centralized secret rotation and access control are possible.
• Secrets are never hard-coded in APIM or backend code.

<set-variable name="clientSecret" value="@Microsoft.KeyVault(SecretUri=https://your-keyvault.vault.azure.net/secrets/ClientSecret)" />
    

Above example shows referencing a Key Vault secret dynamically in APIM policies.

3. Types of Secrets Stored

• OAuth Client Secrets: Used to request tokens from Azure AD.
• API Keys / Subscription Keys: Used to authenticate API calls.
• Connection Strings: For connecting to databases or storage accounts.
• Certificates: For client certificate authentication.

4. Best Practices for Secret Management

• Use Key Vault for all sensitive secrets whenever possible.
• Enable secret rotation and update APIM references dynamically.
• Restrict Key Vault access using RBAC and policies.
• Never expose secrets in frontend apps or logs.
• Audit access regularly for compliance.

Next Steps

• Learn about Azure APIM Versioning Strategies