1. Home
  2. Training Library
  3. Google Cloud Platform
  4. Courses
  5. Introduction to Apigee API Management

Creating and Managing API Proxies


Start course

In this course, you will learn how to manage your APIs by using Apigee. Apigee allows you to continuously make improvements while also ensuring stability and reliability. We also cover how to modify the behavior of your APIs by applying policies, as well as how to enforce authentication.

Learning Objectives

  • Describe what an API proxy is
  • Deploy an API proxy using Apigee
  • Create and apply an Apigee policy
  • Secure an API by requiring a key

Intended Audience

  • GCP Developers
  • GCP Administrators


  • Previous experience with APIs
  • Admin access to a GCP account

Once you have provisioned an Apigee environment, you can begin to use it.  In this lesson, I  am going to show you how to work with API proxies.  I will begin by mapping a public URL to a backend service.  Then I will demonstrate how to add a policy.  Finally, I’ll show you how to enable authentication and limit who can access your APIs.

First, let’s build an API proxy.  You need to already have an API available.  I am going to use this  Cloud Function that I previously created.  

So to start, I will open a new tab and then search for “Apigee”.  If you have already set up your environment, you will see the Apigee console.

I want to create a new proxy so I will click on “API Proxies”.  You can see that a default “hello-world” example has already been created.  To add a new one, click on “Create New” up here.  Now I have a few options to choose from.  Most of the time, you will pick “Reverse proxy”.  It even tells you here on the screen that this is the “most common”.  “No target” and “Proxy bundles” are more advanced options that I will not be covering.

So now I have to fill in the details.  I have to pick a name for my proxy, to help identify it from the others.  Since my API adds numbers, I will call it “addition”.

Next, I need to set a path for the API.  This will be the unique path used to access this specific API.  It will automatically generate the base path for you based on the name, but you can override it if you wish.

Next I can fill in a description.  This helps if you are going to end up with a lot of APIs.

And then the target field needs to contain the URL of my existing API.  So I am just going to copy that from the Google console like this.  And then click on “Next”.

On the next screen, I can choose to apply some common policies.  You can enable authentication, add CORS headers, or impose quotas.  I want to keep things simple, so I will skip this for now.

Finally, here is the summary screen.  Make sure to carefully review all your selections.  Under “Optional Deployment” there is a checkbox for immediately deploying the API as soon as you create it.  Checking this will make the API immediately available.  I want to show you how to manually deploy the proxy, so I am going to leave this unchecked for now.  When you are ready, click on “Create”.

So you can see that my new proxy has been created.  You can tell the “hello-world” API is deployed, but my “Addition” API has not.  Notice it does not have a green checkmark.

If you click on the name you can review the details.  Here is the deployment status, the proxy endpoint and the target endpoint.

Now at this point, if I try to access the API, it will fail.  I can run this cURL command in my terminal.  For the URL, you just combine the DNS name for the Apigee organization and the proxy endpoint base path.  In this case, I am passing in a JSON object where A is set to “1” and B is set to “2”.  But as you can see, I am not getting any return values.

Once I deploy the API proxy, this command should start to work.  To do a deployment, just click on the dropdown under revision.  And then pick a revision.  So far I just have the one.  Notice that you also get an option to “undeploy” the API proxy as well.  Every time you make a change, it will create a new revision.  If you ever deploy a revision that does not work, you can easily roll back to a previously working version. 

Just before deploying, it will give you the option to specify a service account, but this is more advanced, so I am going to leave that blank.

Deploying takes a little bit of time.  You might need to wait a few minutes.  You can hover your cursor over the details link like this to see what is happening.  Ok, now the deployment has finished.  So let me rerun my cURL command.  This time I got a real result.  Now if I run it again with different values, it still returns the correct answer.  So that is how to create an API proxy.

Now maybe this does not seem too impressive.  All I have really done so far is remapped one URL to another.  However, this allows you up to do some cool things, like add policies.  Let me demonstrate how to do just that.

If you click on the “develop” tab here, you can modify the pre-flow and post-flow of both the proxy and target endpoints.  Essentially, this allows you to make changes at various points in the API request.  If I click on “Add Step” you can see there are a lot of different options.  There are options for traffic management including setting quotas or enabling caching.  There are security options for enabling authentication or threat protection.  There are mediation options for converting to XML or extracting variables.  And there are lots more.

Currently my API outputs in JSON.  But what if I wanted the output to be in XML instead?  Well I can do just that by adding a “JSON to XML” policy.  So I am going to add this policy to the response preflow, and now instead of getting back my answer in a JSON object it will come back as an XML document.

After adding all the policies you want, just click on save and this will create a new revision.  And recall that you need to publish a revision before you can use it, so you need to click here to make it live.  Again, we need to wait for the deployment to finish.  

Ok, so let me run the cURL command and let’s see what happens.  There we go.  The response is now coming back in XML.  As you can tell, policies give you a ton of flexibility.  You can reformat data, add authentication, or trigger additional actions, all without needing to change the original API code. 

Authentication is pretty important, so let me demonstrate how to do that next.  I am going to delete my API proxy.   And then I will recreate it.  But this time, I am going to tell it to require an API key under the “Common policies'' page .  Now, anyone calling this API will need to include a valid key in the request.

And to see what is different, I am going to click on the “develop” tab.  Here you can see that it automatically added two policies.  This policy is going to check for a valid API key.  And this policy is going to remove the key before the request is forwarded to the backend target.  Remember my original API does not require a key, and it does not know what to do with one.

Ok, so now let me try to run the cURL command again.  This time it fails because I have not included a valid key.  So my API proxy is correctly enforcing authentication.

So now that the API requires a key, how do I get one?  

Well there are two main ways to do this.  First, you can create a developer portal in which users can register via self-service.  Basically developers can sign up for an account, explore the APIs available and request keys.  This option is very handy if you are going to have many different users and many different APIs.  However, setting up the portal takes a fair amount of work.  I am not going to demonstrate this, since it’s a more advanced feature and involves quite a few steps.

The second option is much simpler if you only need to grant access to a handful of developers.  You can generate keys manually.

Be aware that for either option, you cannot generate a key for a single API.  Instead, you generate keys for API products.  An API product is just a bundled collection of API proxies.

Generally, you will need to have several APIs in order to create a useful service.  For example, it would be odd for me to publish a single API for adding two numbers.  At the minimum, I should probably include other APIs for subtraction, multiplication and division as well.  By bundling these four APIs together into a single Math API product, a developer would only need a single API key to access all four.  You don’t want to have to generate twenty keys for a service with twenty APIs.

So before I can create an API key, I first need to create a “Math” API product.  Click on API Products in the side menu.  Then click “Create”.  I need to enter a unique ID and a display name.  You can add a description if you wish.   And then select the environment.  This is the Apigee organization that you created.  Then you have to set the level of Access.  You can choose between Public, Private or Internal.  Private means the developer has to be specifically authorized to use this product.  Public means that any developers registered in the system can use the product.  And internal means that only internal developers can have access to the product.

The system will automatically approve requests for access, but if you want to handle that manually, you can uncheck this box.

You can also specify a quota here if you want to limit the number of calls.  And the rest of this stuff is optional.  They allow you to get really specific about what exactly is allowed.  You can do stuff like allow POSTs but disallow GETs.

Once you have filled in all the values, you need to scroll up to the top and click “Save”.  I know this is kind of weird.  Usually the save button is at the bottom of the page.

Alright, so now that I have created a product, I next need to register a developer.  So to do that. click on “Developers” in the side menu.  And then on “Add Developer”.  You have to enter their name, email, and pick a username.

Now I can finally generate my key.  To do this, I need to create an “App” for my developer.  Click on “Apps”.  And then on “Add App”.  Choose the developer.  Pick a name for the app.  And then pick the products that you want to grant access to here.  I am going to choose my Math API product.  And then, when you are ready, click on “Create” up here.

Ok, so my new developer has been approved.  The API key has been generated and you can access it here.  So, I just have to copy this, and then update my cURL command so that it should work again.  Here is the updated command.  And you can see that it works now.

So now you know how to enable authentication.  I really like this because I was able to write the original API without having to worry about users or access keys.  API developers can really focus on the core logic without having to get bogged down in a bunch of other details.

Well, I think I have covered all the basics.  You now should be able to use Apigee to create your own API proxies, add policies, and set up basic authentication on your own.

About the Author
Learning Paths

Daniel began his career as a Software Engineer, focusing mostly on web and mobile development. After twenty years of dealing with insufficient training and fragmented documentation, he decided to use his extensive experience to help the next generation of engineers.

Daniel has spent his most recent years designing and running technical classes for both Amazon and Microsoft. Today at Cloud Academy, he is working on building out an extensive Google Cloud training library.

When he isn’t working or tinkering in his home lab, Daniel enjoys BBQing, target shooting, and watching classic movies.