An Azure service that provides a hybrid, multi-cloud management platform for APIs.
Hi @REUBEN SINHA (SINHA REUBEN) ,
Thank you for reaching out to the Microsoft Q&A platform!
The issue you are encountering where older subscription keys are successfully authorized but newly added subscription keys return a 401 Unauthorized error with the message "Access denied due to invalid subscription key. Make sure to provide a valid key for an active subscription" is typically caused by an internal caching delay in the API Management gateway.
When a new subscription is created, the generated keys might not immediately sync to the gateway's internal configuration cache, while the older keys are already cached and validate successfully.
Please try the troubleshooting steps which may resolve this issue:
1. Force an Immediate Cache Refresh (Manual Re-save) You can force the API Management gateway to immediately reload its subscription configuration by performing a "dummy save" on the affected subscription.
- Navigate to your Azure Portal > API Management instance.
- In the left menu, select Subscriptions.
- Open the newly created subscription that is returning the
401error. - Without making any actual changes, click Save. This forces the APIM gateway to immediately reload the keys.
2. Wait for Cache Propagation: If you have an automated process generating these keys, there can occasionally be a slight delay in propagation. Waiting for up to 10 minutes allows the internal cache to naturally refresh and pick up the newly generated keys.
3. Programmatic Update via REST API: If you are automating the subscription creation process, you can programmatically force an update by calling the Subscription - Create Or Update REST API right after creation. Re-submitting the request "touches" the resource and triggers a configuration sync.
4. Check for Hardcoded Header Policies: Although you mentioned the request does not reach the backend, the failure happens during gateway validation. It is a good practice to ensure no inbound policies at the API or Product level are accidentally overriding the incoming key header. According to the official Azure troubleshooting documentation on Unauthorized errors:
"Ocp-Apim-Subscription-Key is the request header sent for the subscription key of the product that is associated with this API... check the Frontend definition... Upon careful inspection, you would notice that these operations got a wrong hard-coded value of Ocp-Apim-Subscription-Key request header added under Headers tab."
Ensure your <inbound> policies do not contain a set-header policy that incorrectly overwrites the Ocp-Apim-Subscription-Key.
Please try the manual re-save workaround, as it resolves the synchronization state in most scenarios. Let me know if it works.