I wanted to use Azure API management for exposing our existing APIs to third-party developers. Azure API management provides a developer portal where third parties can sign-in and obtain subscription keys. The subscription key is then supposed to be passed with every request as query string parameter or along with POST parameters.
This seems to be a concern since there is a possibility of someone easily getting access to this key if they can intercept HTTP traffic. The common mechanism is to generate HMAC of the request using client secret and sending it along with the request to ensure integrity and authenticity of the request and not send the client secret along with the request.
Is it possible to enable HMAC based integrity checks on Azure API Management?
Also is it possible to configure Azure API Management to send back the response with HMAC so that client as well can verify that the response is coming from a reliable source?