openapi: 3.0.0 servers: - url: https://api.enterprise.apigee.com/v1 info: title: API products API description: >- An API product consists of a list of API resources (URIs) and custom metadata required by the API provider. API products enable you to bundle and distribute your APIs to multiple developer groups simultaneously without having to modify code. API products provide the basis for access control in Apigee, as they provide control over the set of API resources that apps are allowed to consume. As part of the app provisioning workflow, developers select from a list of API products. This selection of an API product is usually made in the context of a developer portal. The developer app is provisioned with a key and secret (generated by and stored on Apigee Edge) that enable the app to access the URIs bundled in the selected API product. To access API resources bundled in an API product, the app must present the API key issued by Apigee Edge. Apigee Edge will resolve the key that is presented against an API product, and then check associated API resources and quota settings. The API supports multiple API products per app key, which enables app developers to consume multiple API products without requiring multiple keys. Also, a key can be 'promoted' from one API product to another. This enables you to promote developers from 'free' to 'premium' API products seamlessly and without user interruption. For more information, see What is an API product?. version: '1.0' security: - Basic: [] - OAuth: [] paths: "/organizations/{org_name}/apiproducts": post: tags: ["API Product"] summary: Create API product description: >- Creates an API product in an organization. You create API products after you have proxied backend services using API proxies. An API product is a collection of API resources combined with quota settings and metadata that you can use to deliver customized and productized API bundles to your developer community. This metadata may include the scope, environments, API proxies, and extensible profile. API products enable you to repackage APIs on-the-fly, without having to do any additional coding or configuration. Apigee recommends that you start with a simple API product including only required elements. Then provision credentials to apps to enable them to start testing your APIs. Once you have authentication and authorization working against a simple API product, you can iterate to create finer-grained API products, defining different sets of API resources for each API product. **Warning:** * If you don't specify an API proxy in the request body, any app associated with the API product can make calls to any API in your entire organization. * If you don't specify an environment in the request body, the API product allows access to all environments. For more information, see Manage API products. **Ensure optimal API product and app security** An organization-level property, `features.keymanagement.disable.unbounded.permissions`, strengthens the security of API products in verifying API calls. When the property is set to `true`, the following features are enforced. * **App creation**: When creating a developer or company app, the Edge API requires that the app be associated with an API product. (The Edge UI already enforces this.) * **API product configuration**: To create or update an API product, the API product must include at least one API proxy or a resource path in its definition. * **Runtime security**: API calls are rejected by an API product in the following situations: * An API product doesn't include at least one API proxy or resource path. * If the `flow.resource.name` variable in the message doesn't include a resource path that the API product can evaluate. * If the app making the API call isn't associated with an API product. **Note:** Setting this organization property requires system administrator privileges. Edge for Private Cloud system administrators can add this property when updating organization properties. If you are an Edge for Public Cloud user, contact Apigee Support to set the organization property. operationId: createAPIProduct parameters: - $ref: '#/components/parameters/org_name' responses: '201': description: OK content: application/json: schema: $ref: '#/components/schemas/APIProduct' example: apiResources: - / approvalType: auto attributes: - name: access value: public createdAt: 1576006010770 createdBy: ahamilton@example.com description: "My API product" displayName: My API product environments: ["test"] lastModifiedAt: 1586780529100 lastModifiedBy: ahamilton@example.com name: myapiproduct proxies: - myproxy - myproxy2 scopes: [] '400': description: Bad request requestBody: description: API product request. content: application/json: schema: $ref: '#/components/schemas/APIProductRequest' example: apiResources: - / approvalType: auto attributes: - name: access value: public description: "My API product" displayName: My API product environments: ["test"] name: myapiproduct proxies: - myproxy - myproxy2 scopes: [] get: tags: ["API Product"] summary: List API products description: >- Lists API products for an organization. Filter the list by passing an `attributename` and `attibutevalue`. With Apigee Edge for Public Cloud: * The limit on the number of API products returned is 1000. * Paginate the list of API products returned using the `startKey` and `count` query parameters. operationId: listAPIProducts parameters: - $ref: '#/components/parameters/org_name' - $ref: '#/components/parameters/attributename' - $ref: '#/components/parameters/attributevalue' - $ref: '#/components/parameters/expand' - $ref: '#/components/parameters/count' - $ref: '#/components/parameters/startKey' responses: '200': description: OK content: application/json: schema: type: array items: description: API product name. type: string example: - API product 1 - API product 2 '400': description: Bad request "/organizations/{org_name}/apiproducts/{apiproduct_name}": get: tags: ["API Product"] summary: Get API product description: >- Gets configuration details for an API product. The API product name required in the request URL is the internal name of the product, not the display name. While they may be the same, it depends on whether the API product was created via the UI or API. View the list of API products to verify the internal name. With Apigee Edge for Public Cloud: * The limit on the number of entities returned is 100. * Paginate the list of API products returned using the `startkey` and `count` query parameters. operationId: getAPIProduct parameters: - $ref: '#/components/parameters/org_name' - $ref: '#/components/parameters/apiproduct_name' - $ref: '#/components/parameters/query' - $ref: '#/components/parameters/entity' - $ref: '#/components/parameters/startkey' - $ref: '#/components/parameters/count-apps' responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/APIProduct' example: apiResources: - / approvalType: auto attributes: - name: access value: public createdAt: 1576006010770 createdBy: ahamilton@example.com description: "My API product" displayName: My API product environments: ["test"] lastModifiedAt: 1586780529100 lastModifiedBy: ahamilton@example.com name: myapiproduct proxies: - myproxy - myproxy2 scopes: [] '400': description: Bad request put: tags: ["API Product"] summary: Update API product description: >- Updates an existing API product. **Note**: You must include all required values, whether or not you are updating them, as well as any optional values that you are updating. The API product name required in the request URL is the internal name of the product, not the display name. While they may be the same, it depends on whether the API product was created via UI or API. View the list of API products to verify the internal name. **Apigee Edge for Public Cloud only**: OAuth access tokens and Key Management Service (KMS) entities (apps, developers, and API products) are cached for 180 seconds (current default). Any custom attributes associated with these entities also get cached for at least 180 seconds after the entity is accessed at runtime. Therefore, an `ExpiresIn` element on the OAuthV2 policy won't be able to expire an access token in less than 180 seconds. operationId: updateAPIProduct parameters: - $ref: '#/components/parameters/org_name' - $ref: '#/components/parameters/apiproduct_name' responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/APIProduct' example: apiResources: - / approvalType: auto attributes: - name: access value: public createdAt: 1576006010770 createdBy: ahamilton@example.com description: "My API product" displayName: My API product environments: ["test"] lastModifiedAt: 1586780529100 lastModifiedBy: ahamilton@example.com name: myapiproduct proxies: - myproxy - myproxy2 scopes: [] '400': description: Bad request requestBody: description: API product request. content: application/json: schema: $ref: '#/components/schemas/APIProductRequest' example: apiResources: - / approvalType: auto attributes: - name: access value: public description: "My API product" displayName: My API product environments: ["test"] proxies: - myproxy - myproxy2 scopes: [] delete: tags: ["API Product"] summary: Delete API product description: >- Deletes an API product from an organization. Deleting an API product will cause app requests to the resource URIs defined in the API product to fail. Ensure that you create a new API product to serve existing apps, unless your intention is to disable access to the resources defined in the API product. The API product name required in the request URL is the internal name of the product, not the display name. While they may be the same, it depends on whether the API product was created via the UI or API. View the list of API products to verify the internal name. operationId: deleteAPIProduct parameters: - $ref: '#/components/parameters/org_name' - $ref: '#/components/parameters/apiproduct_name' responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/APIProduct' example: apiResources: - / approvalType: auto attributes: - name: access value: public createdAt: 1576006010770 createdBy: ahamilton@example.com description: "My API product" displayName: My API product environments: ["test"] lastModifiedAt: 1586780529100 lastModifiedBy: ahamilton@example.com name: myapiproduct proxies: - myproxy - myproxy2 scopes: [] '400': description: Bad request "/organizations/{org_name}/apiproducts/{apiproduct_name}/attributes": post: tags: ["API Product"] summary: Update all API product attributes description: >- Updates or creates API product attributes. This API **replaces** the current list of attributes with the attributes specified in the request body. In this way, you can update existing attributes, add new attributes, or delete existing attributes by omitting them from the request body. **Apigee Edge for Public Cloud only**: OAuth access tokens and Key Management Service (KMS) entities (apps, developers, and API products) are cached for 180 seconds (current default). Any custom attributes associated with these entities also get cached for at least 180 seconds after the entity is accessed at runtime. Therefore, an `ExpiresIn` element on the OAuthV2 policy won't be able to expire an access token in less than 180 seconds. operationId: updateAPIProductAttributes parameters: - $ref: '#/components/parameters/org_name' - $ref: '#/components/parameters/apiproduct_name' responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/Attributes' example: attribute: - name: access value: public '400': description: Bad request requestBody: content: application/json: schema: $ref: '#/components/schemas/Attributes' example: attribute: - name: access value: public description: API product attributes. get: tags: ["API Product"] summary: List API product attributes description: >- Lists all API product attributes. operationId: listAPIProductAttributes parameters: - $ref: '#/components/parameters/org_name' - $ref: '#/components/parameters/apiproduct_name' responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/Attributes' example: attribute: - name: access value: public '400': description: Bad request "/organizations/{org_name}/apiproducts/{apiproduct_name}/attributes/{attribute_name}": post: tags: ["API Product"] summary: Update API product attribute description: >- Updates the value of an API product attribute. **Apigee Edge for Public Cloud only**: OAuth access tokens and Key Management Service (KMS) entities (apps, developers, and API products) are cached for 180 seconds (current default). Any custom attributes associated with these entities also get cached for at least 180 seconds after the entity is accessed at runtime. Therefore, an `ExpiresIn` element on the OAuthV2 policy won't be able to expire an access token in less than 180 seconds. operationId: updateAPIProductAttribute parameters: - $ref: '#/components/parameters/org_name' - $ref: '#/components/parameters/apiproduct_name' - $ref: '#/components/parameters/attribute_name' responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/Attribute' example: name: access value: public '400': description: Bad request requestBody: content: application/json: schema: type: object properties: value: type: string description: Value for the API product attribute. description: API product details. delete: tags: ["API Product"] summary: Delete API product attribute description: Deletes an API product attribute. operationId: deleteAPIProductAttribute parameters: - $ref: '#/components/parameters/org_name' - $ref: '#/components/parameters/apiproduct_name' - $ref: '#/components/parameters/attribute_name' responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/Attribute' example: name: access value: public '400': description: Bad request get: tags: ["API Product"] summary: Get API product attribute description: Gets the value of an API product attribute. operationId: getAPIProductAttribute parameters: - $ref: '#/components/parameters/org_name' - $ref: '#/components/parameters/apiproduct_name' - $ref: '#/components/parameters/attribute_name' responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/Attribute' example: name: access value: public '400': description: Bad request components: securitySchemes: Basic: type: http scheme: basic description: >- Multi-factor authentication is not supported. OAuth: type: http scheme: bearer bearerFormat: JWT parameters: org_name: in: path name: org_name required: true schema: type: string description: Organization name. apiproduct_name: in: path name: apiproduct_name required: true schema: type: string description: API product name. attribute_name: in: path name: attribute_name required: true schema: type: string description: Name of an attribute defined in the API product profile. attributename: in: query name: attributename required: false schema: type: string description: Name of an attribute defined in the API product profile on which you want to filter the list. attributevalue: in: query name: attributevalue required: false schema: type: string description: Value of the attribute. count: in: query name: count required: false schema: type: integer description: >- **Apigee Edge for Public Cloud only**. Number of API products to return in the API call. The limit is 1000. count-apps: in: query name: count required: false schema: type: integer description: >- **Apigee Edge for Public Cloud only**. Valid when `entity` is set to `apps`. Number of apps to return in the API call. The limit is 100. expand: in: query name: expand required: false schema: type: boolean description: Flag that specifies whether to view expanded details about each API product. Set to `true` to view expanded details. Defaults to `false`. startKey: in: query name: startKey required: false schema: type: string description: >- **Apigee Edge for Public Cloud only**. Name of an API product from which to start displaying the list of API products. For example, if you're returning 50 API products at a time (using the count query parameter), you can view products 50-99 by entering the name of the 50th API product. The API product name is case sensitive. startkey: in: query name: startkey required: false schema: type: string description: >- **Apigee Edge for Public Cloud only**. Valid when `entity` is set to `apps`. Name of an app from which to start displaying the list of apps. For example, if you're returning 50 apps at a time (using the count query parameter), you can view apps 50-99 by entering the name of the 50th app. The app name is case sensitive. query: in: query name: query required: false schema: type: string description: >- Set to `list` to list the entities specified by the `entity` query parameter. entity: in: query name: entity required: false schema: type: string description: >- Specify the type of entity for which you want to get a count or list, as defined by the `query` parameter. Valid values include: `keys`, `apps`, `developers`, or `companies`. With Apigee Edge for Public Cloud, the `developers` and `entity` types are not supported. schemas: APIProduct: description: API product details. type: object properties: apiResources: type: array items: description: API resource, such as `/forecastrss`. type: string description: >- Comma-separated list of API resources to be bundled in the API product. By default, the resource paths are mapped from the `proxy.pathsuffix` variable which is defined as the URI fragment following the ProxyEndpoint base path. For example, if the `apiResources` element is defined to be `/forecastrss` and the base path defined for the API proxy is `/weather`, then only requests to `/weather/forecastrss` are permitted by the API product. You can select a specific path, or you can select all subpaths with a wildcard (/** and /*). The double asterisk wildcard indicates that all sub-URIs are included. A single asterisk indicates that only URIs one level down are included. By default, / supports the same resources as /** as plus the base path defined by the API proxy. For example, if the base path of the API proxy is `/v1/weatherapikey`, then the API product supports requests to `/v1/weatherapikey` and to any sub-URIs, such as `/v1/weatherapikey/forecastrss`, `/v1/weatherapikey/region/CA`, and so on. For more information, see: * Manage API products for more information about managing API products and setting this value. * Managing a transaction recording policy using the API for information about setting this value when creating a transaction recording policy for monetization. approvalType: description: >- Flag that specifies how API keys are approved to access the APIs defined by the API product. If set to `manual`, the consumer key is generated and returned in "pending" state. In this case, the API keys won't work until they have been explicitly approved. If set to `auto`, the consumer key is generated and returned in "approved" state and can be used immediately. **Note**: Typically, `auto` is used to provide access to free or trial API products that provide limited quota or capabilities. type: string enum: - auto - manual attributes: description: >- Array of attributes that may be used to extend the default API product profile with customer-specific metadata. With Edge for Public Cloud, you can specify a maximum of 18 attributes. Use this property to specify the access level of the API product as either `public`, `private`, or `internal`. Only products marked `public` are available to developers in the Apigee developer portal. For example, you can set a product to `internal` while it is in development and then change access to `public` when it is ready to release on the portal. API products marked as `private` do not appear on the portal but can be accessed by external developers. For monetization, you can use the attributes field to: * Specify transaction success criteria * Specify custom attributes on which you base rate plan charges type: array items: $ref: '#/components/schemas/Attribute' createdAt: description: Output only. Creation date specified as milliseconds since epoch. type: integer readOnly: true createdBy: description: Output only. Email address of the user that created the API product. type: string readOnly: true description: description: Description of the API product. Include key information about the API product. type: string displayName: description: Name to be displayed in the UI or developer portal to developers registering for API access. type: string environments: description: >- Comma-separated list of environment names to which the API product is bound. Requests to environments that are not listed are rejected. By specifying one or more environments, you can bind the resources listed in the API product to a specific environment, preventing developers from accessing those resources through API proxies deployed in another environment. This setting is used, for example, to prevent resources associated with API proxies in `prod` from being accessed by API proxies deployed in `test`. type: array items: description: Environment. type: string lastModifiedAt: description: Output only. Last modified date specified as milliseconds since epoch. type: integer readOnly: true lastModifiedBy: description: Output only. Email address of the user that last modified the API product. type: string readOnly: true name: description: >- Internal name of the API Product. Valid characters include: `A-Z0-9._\-$ %`. **Notes**: * The name is required when creating an API product. It cannot be edited when updating the API product. * API product names must be unique within your organization. * For Monetization organizations, API product names must use a unique sequence of characters, regardless of case. For example, if you create an API product named `APIProductA` and subsequently attempt to create a company named `apiproducta`, an error is thrown. type: string proxies: description: >- Comma-separated list of API proxy names to which this API product is bound. By specifying API proxies, you can associate resources in the API product with specific API proxies, preventing developers from accessing those resources through other API proxies. Requests to API proxies not listed are rejected. **Note**: The API proxy names must already exist in the specified environment as they will be validated upon creation. type: array items: description: API proxy name. type: string quota: description: >- Number of request messages permitted per app by this API product for the specified `quotaInterval` and `quotaTimeUnit`. For example, a `quota` of 50, for a `quotaInterval` of 12 and a `quotaTimeUnit` of hours means 50 requests are allowed every 12 hours. type: string quotaInterval: description: >- Time interval over which the number of request messages is calculated. type: string quotaTimeUnit: description: >- Time unit defined for the `quotaInterval`. type: string enum: - minute - hour - day - month scopes: description: >- Comma-separated list of OAuth scopes that are validated at runtime. Apigee Edge validates that the scopes in any access token presented match the scopes defined in the OAuth policy assoicated with the API product. type: array items: description: OAuth scope. type: string APIProductRequest: description: API product request. type: object required: - displayName - approvalType properties: apiResources: type: array items: description: API resource, such as `/forecastrss`. type: string description: >- Comma-separated list of API resources to be bundled in the API product. By default, the resource paths are mapped from the `proxy.pathsuffix` variable which is defined as the URI fragment following the ProxyEndpoint base path. For example, if the `apiResources` element is defined to be `/forecastrss` and the base path defined for the API proxy is `/weather`, then only requests to `/weather/forecastrss` are permitted by the API product. You can select a specific path, or you can select all subpaths with a wildcard (/** and /*). The double asterisk wildcard indicates that all sub-URIs are included. A single asterisk indicates that only URIs one level down are included. By default, / supports the same resources as /** as plus the base path defined by the API proxy. For example, if the base path of the API proxy is `/v1/weatherapikey`, then the API product supports requests to `/v1/weatherapikey` and to any sub-URIs, such as `/v1/weatherapikey/forecastrss`, `/v1/weatherapikey/region/CA`, and so on. For more information, see: * Manage API products for more information about managing API products and setting this value. * Managing a transaction recording policy using the API for information about setting this value when creating a transaction recording policy for monetization. approvalType: description: >- Flag that specifies how API keys are approved to access the APIs defined by the API product. If set to `manual`, the consumer key is generated and returned in "pending" state. In this case, the API keys won't work until they have been explicitly approved. If set to `auto`, the consumer key is generated and returned in "approved" state and can be used immediately. **Note**: Typically, `auto` is used to provide access to free or trial API products that provide limited quota or capabilities. type: string enum: - auto - manual attributes: description: >- Array of attributes that may be used to extend the default API product profile with customer-specific metadata. With Edge for Public Cloud, you can specify a maximum of 18 attributes. Use this property to specify the access level of the API product as either `public`, `private`, or `internal`. Only products marked `public` are available to developers in the Apigee developer portal. For example, you can set a product to `internal` while it is in development and then change access to `public` when it is ready to release on the portal. API products marked as `private` do not appear on the portal but can be accessed by external developers. For monetization, you can use the attributes field to: * Specify transaction success criteria * Specify custom attributes on which you base rate plan charges type: array items: $ref: '#/components/schemas/Attribute' description: description: Description of the API product. Include key information about the API product. type: string displayName: description: Name to be displayed in the UI or developer portal to developers registering for API access. type: string environments: description: >- Comma-separated list of environment names to which the API product is bound. Requests to environments that are not listed are rejected. By specifying one or more environments, you can bind the resources listed in the API product to a specific environment, preventing developers from accessing those resources through API proxies deployed in another environment. This setting is used, for example, to prevent resources associated with API proxies in `prod` from being accessed by API proxies deployed in `test`. type: array items: description: Environment. type: string name: description: >- Internal name of the API Product. Valid characters include: `A-Z0-9._\-$ %`. **Note**: The name is required when creating an API product. It cannot be edited when updating the API product. type: string proxies: description: >- Comma-separated list of API proxy names to which this API product is bound. By specifying API proxies, you can associate resources in the API product with specific API proxies, preventing developers from accessing those resources through other API proxies. Requests to API proxies not listed are rejected. **Note**: The API proxy names must already exist in the specified environment as they will be validated upon creation. type: array items: description: API proxy name. type: string quota: description: >- Number of request messages permitted per app by this API product for the specified `quotaInterval` and `quotaTimeUnit`. For example, a `quota` of 50, for a `quotaInterval` of 12 and a `quotaTimeUnit` of hours means 50 requests are allowed every 12 hours. type: string quotaInterval: description: >- Time interval over which the number of request messages is calculated. type: string quotaTimeUnit: description: >- Time unit defined for the `quotaInterval`. type: string enum: - minute - hour - day - month scopes: description: >- Comma-separated list of OAuth scopes that are validated at runtime. Apigee Edge validates that the scopes in any access token presented match the scopes defined in the OAuth policy assoicated with the API product. type: array items: description: OAuth scope. type: string Attributes: description: API product attributes. properties: attribute: type: array items: $ref: '#/components/schemas/Attribute' Attribute: description: API product attribute name and value. properties: name: description: Name of attribute. type: string value: description: Value of attribute. type: string