Adventures with Azure APIM: C# In My Policy

API Management

I was asked by a customer recently on how to call a third-party API that required an MD5 hash to be included as a query string parameter from Azure API Management.

I knew the answer was in policies but was not exactly sure how to do it. I also seemed to remember the Marvel API requiring something like this. 🤔

To use the Marvel API you have to include the following query parameters:

  • ts – Timestamp or other long string which can change on a request-by-request basis
  • apikey – Your Marvel API account public key
  • hash – MD5 hash of the timestamp, the Marvel API private key and the Marvel API public key

I decided to build out a POC to see I could do this.

In my Azure APIM resource I created a backend, called MarvelAPI, pointing to

I created an Azure Key Vault resource to store my Marvel API Private and Public Key which were then mapped to Name Values in my Azure APIM resource called MarvelPrivateKey and MarvelPublicKey.

I created a Marvel API with one operation called Character List.

The Character List operation had a the URL defined as a GET with a path of /characters.

Since the query parameters for ts, apikey and hash would need to be required for all calls to the Marvel API, I modified the All operations policy.

I tested it from the Azure portal, and what do you know? It worked! Now in all honesty, it took me over a couple of hours to actually figure it out. 😀

Pretty cool! 😎

The challenging part was there was no syntax checking in the code and any library usage had to include the full name, including the namespace, e.g., System.DateTime as opposed to just DateTime.

Super powerful, and super helpful!