You can configure a subscription that applies to all Service versions or to a specific version. The subscription becomes active when you set a Service version to one of the published states. Each subscription has a defined lifetime, and—by default—requires approval, although you can disable this requirement. You can choose an API Key or a Java Web Token (JWT) for subscriber authentication:

• API keys offer basic security. They're static, long-lived, contain a simple ID, and are compatible with Classic APIM subscriptions. The subscription lifetime determines the time-to-live (TTL). APIM 3.0 encrypts the API key.
• JWTs offer strong security. They're signed, tamper-resistant, and can include claims that define roles, scopes, or other authorization data. They're short-lived and refreshable. We recommend using JWTs whenever possible. To use a JWT, provide a private and public key and set the maximum TTL. APIM 3.0 encrypts the token.

The subscription lifecycle includes the following phases:

• Active: A subscription becomes active when its configured and an associated Service version is in a published state. In DeveloperHub, the Service has a Subscribe button.

• Requested: Consumers click the Subscribe button to request a subscription. The next step depends on whether the subscription is configured for automatic approval:

  • Automatic (no approval required): The API key or JWT becomes immediately available for the consumer to copy. The key or token only displays once.

  • Pending (approval required): The Service owner or an Environment administrator must approve or reject subscription requests. Upon approval, consumers have access to the API key or JWT. The key or token only displays once.

• Inactive: A subscription ends when its associated Service version is unpublished, is revoked, or its defined lifetime expires. When inactive, subscribers lose access to the Service.

The following provide the detailed steps to:

• Configure a subscription with an API Key
• Configure a subscription with a JWT