Merge branch 'main' into openapi-secure

Author: cephalin

.openpublishing.redirection.json

@@ -6,7 +6,7 @@ author: dlepow
 
 ms.service: azure-api-management
 ms.topic: how-to
-ms.date: 09/11/2025
+ms.date: 10/27/2025
 ms.author: danlep
 ms.custom: sfi-image-nochange
 
@@ -44,10 +44,10 @@ To complete this tutorial, you need to:
 
 + [Create an Azure API Management instance](get-started-create-service-instance.md)
 + Understand [caching in Azure API Management](api-management-howto-cache.md)
-+ Have an [Azure Managed Redis](../redis/quickstart-create-managed-redis.md), [Azure Cache for Redis](../azure-cache-for-redis/quickstart-create-redis.md), or another Redis-compatible cache available.
++ Have an [Azure Managed Redis](../redis/quickstart-create-managed-redis.md) or another Redis-compatible cache available.
 
     > [!IMPORTANT]
-    > Azure API Management uses a Redis connection string to connect to the cache. If you use Azure Cache for Redis or Azure Managed Redis, enable access key authentication in your cache to use a connection string. Currently, you can't use Microsoft Entra authentication to connect Azure API Management to Azure Cache for Redis or Azure Managed Redis.
+    > Azure API Management uses a Redis connection string to connect to the cache. If you use Azure Managed Redis, enable access key authentication in your cache to use a connection string. Currently, you can't use Microsoft Entra authentication to connect Azure API Management to Azure Managed Redis.
 
 ### Redis cache for Kubernetes
 
@@ -57,7 +57,7 @@ For an API Management self-hosted gateway, caching requires an external cache. F
 
 Follow the steps below to add an external Redis-compatible cache in Azure API Management. You can limit the cache to a specific gateway in your API Management instance.
 
-![Screenshot that shows how to add an external Azure Cache for Redis in Azure API Management.](media/api-management-howto-cache-external/add-external-cache.png)
+![Screenshot that shows how to add an external Azure Managed Redis cache in Azure API Management.](media/api-management-howto-cache-external/add-external-cache.png)
 
 ### Use from setting
 
@@ -76,7 +76,7 @@ The **Use from** setting in the configuration specifies the location of your API
 > [!NOTE]
 > You can configure the same external cache for more than one API Management instance. The API Management instances can be in the same or different regions. When sharing the cache for more than one instance, you must select **Default** in the **Use from** setting. 
 
-### Add an Azure Cache for Redis or Azure Managed Redis instance from the same subscription
+### Add an Azure Managed Redis instance from the same subscription
 
 1. Browse to your API Management instance in the Azure portal.
 1. In the left menu, under **Deployment + infrastructure** select **External cache**.
@@ -85,14 +85,17 @@ The **Use from** setting in the configuration specifies the location of your API
 1. In the [**Use from**](#use-from-setting) dropdown, select **Default** or specify the desired region. The **Connection string** is automatically populated.
 1. Select **Save**.
 
+> [!NOTE]
+> The default connection string is in the form `<cache-name>:10000,<cache-access-key>,ssl=True,abortConnect=False`. API Management stores the string as a secret named value. If you need to view or edit the string to  rotate the access key or troubleshoot connection issues, go to the **Named values** blade.
+
 ### Add a Redis-compatible cache hosted outside of the current Azure subscription or Azure in general
 
 1. Browse to your API Management instance in the Azure portal.
 1. In the left menu, under **Deployment + infrastructure** select **External cache**.
 1. Select **+ Add**.
 1. In the **Cache instance** dropdown, select **Custom**.
 1. In the [**Use from**](#use-from-setting) dropdown, select **Default** or specify the desired region.
-1. Enter your Azure Cache for Redis, Azure Managed Redis, or Redis-compatible cache connection string in the **Connection string** field.
+1. Enter your Azure Managed Redis or Redis-compatible cache connection string in the **Connection string** field.
 1. Select **Save**.
 
 ### Add a Redis cache to a self-hosted gateway

articles/api-management/api-management-howto-cache-external.md

@@ -82,7 +82,7 @@ With the caching policies shown in this example, the first request to a test ope
 1. Select **Save**.
 
 > [!TIP]
-> If you're using an external cache, as described in [Use an external Azure Cache for Redis in Azure API Management](api-management-howto-cache-external.md), you might want to specify the `caching-type` attribute of the caching policies. See [API Management caching policies](api-management-policies.md#caching) for more information.
+> If you're using an external cache, as described in [Use an external Redis-compatible cache in Azure API Management](api-management-howto-cache-external.md), you might want to specify the `caching-type` attribute of the caching policies. See [API Management caching policies](api-management-policies.md#caching) for more information.
 
 ## Call an operation to test the caching
 

articles/api-management/api-management-howto-cache.md

@@ -55,7 +55,7 @@ Create an app registration in your Microsoft Entra ID tenant. The app registrati
     * In the **Supported account types** section, select **Accounts in this organizational directory only**.
     * In **Redirect URI**, select **Single-page application (SPA)** and enter the following URL: `https://{your-api-management-service-name}.developer.azure-api.net/signin`, where `{your-api-management-service-name}` is the name of your API Management instance.
     * Select **Register** to create the application.
-1.On the app **Overview** page, find the **Application (client) ID** and **Directory (tenant) ID** and copy theses values to a safe location. You need them later.
+1.On the app **Overview** page, find the **Application (client) ID** and **Directory (tenant) ID** and copy these values to a safe location. You need them later.
 1. In the sidebar menu, under **Manage**, select **Certificates & secrets**. 
 1. From the **Certificates & secrets** page, on the **Client secrets** tab, select **+ New client secret**. 
     * Enter a **Description**.

articles/api-management/api-management-howto-entra-external-id.md

@@ -97,7 +97,7 @@ ApiManagementGatewayLlmLog
     RequestContent = tostring(RequestArray.content),
     ResponseContent = tostring(ResponseArray.content)
 | summarize
-    Input = strcat_aray(make_list(RequestContent), " . "),
+    Input = strcat_array(make_list(RequestContent), " . "),
     Output = strcat_array(make_list(ResponseContent), " . ")
     by CorrelationId
 | where isnotempty(Input) and isnotempty(Output)
@@ -121,4 +121,4 @@ For details to create and run a model evaluation in Azure AI Foundry, see [Evalu
 
 * [Learn more about monitoring API Management](monitor-api-management.md)
 * [Azure Monitor reference for API Management](monitor-api-management-reference.md)
-* [Tutorial: Monitor published APIs](api-management-howto-use-azure-monitor.md)
+* [Tutorial: Monitor published APIs](api-management-howto-use-azure-monitor.md)

articles/api-management/api-management-howto-llm-logs.md

@@ -1,49 +1,53 @@
 ---
-title: How to delegate user registration and product subscription
-description: Learn how to delegate user registration and product subscription to a third party in Azure API Management.
+title: How to Delegate User Registration and Product Subscription
+description: Learn how to delegate user registration and product subscription to a third party in the Azure API Management developer portal.
 author: dlepow
 services: api-management
 
 ms.service: azure-api-management
 ms.topic: how-to
-ms.date: 05/24/2025
+ms.date: 10/24/2025
 ms.author: danlep
 ---
 
 # How to delegate user registration and product subscription
 
 [!INCLUDE [api-management-availability-premium-dev-standard-basic-premiumv2-standardv2-basicv2](../../includes/api-management-availability-premium-dev-standard-basic-premiumv2-standardv2-basicv2.md)]
 
-Delegation enables your website to own the user data and perform custom validation. With delegation, you can handle developer sign-in/sign-up (and related account management operations) and product subscription using your existing website, instead of the developer portal's built-in functionality. 
+Delegation enables your website to own the user data and perform custom validation for users of the developer portal. With delegation, you can handle developer sign-in and sign-up (and related account management operations) and product subscription by using your existing website, instead of the developer portal's built-in functionality.  
 
 ## Delegating developer sign-in and sign-up
 
-To delegate developer sign-in and sign-up and developer account management options to your existing website, create a special delegation endpoint on your site. This special delegation acts as the entry-point for any sign-in/sign-up and related requests initiated from the API Management developer portal.
+To delegate developer sign-in and sign-up and developer account management options to your existing website, create a special delegation endpoint on your site. This special delegation acts as the entry point for any sign-in/sign-up and related requests initiated from the API Management developer portal.
 
-The final workflow will be:
+The final workflow consists of these steps:
 
-1. Developer clicks on the sign-in or sign-up link or an account management link at the API Management developer portal.
+1. Developer clicks the sign-in or sign-up link or an account management link at the API Management developer portal.
 1. Browser redirects to the delegation endpoint.
 1. Delegation endpoint in return redirects user to or presents user with sign-in/sign-up or account management UI. 
 1. After the operation completes, user is redirected back to the API Management developer portal at the location they left.
 
-### Set up API Management to route requests via delegation endpoint
+### Set up API Management to route requests through a delegation endpoint
 
-1. In the [Azure portal](https://portal.azure.com), navigate to your API Management instance.
-1. In the left menu, under **Developer portal**, select **Delegation**. 
-1. Click the checkbox to enable **Delegate sign-in & sign-up**.
+1. In the [Azure portal](https://portal.azure.com), go to your API Management instance.
+1. In the sidebar menu, under **Developer portal**, select **Delegation**.
+1. Select the checkbox to **Enable delegation**.
+1. Select the checkbox to enable **Delegate sign-in & sign-up**.
 
-    :::image type="content" source="media/api-management-howto-setup-delegation/api-management-delegation-signin-up.png" alt-text="Screenshot showing delegation of sign-in and sign-up in the portal.":::
+    :::image type="content" source="media/api-management-howto-setup-delegation/api-management-delegation-sign-in-up.png" alt-text="Screenshot showing delegation of sign-in and sign-up in the portal.":::
 
-1. Decide your special delegation endpoint's URL and enter it in the **Delegation endpoint URL** field. 
-1. Within the **Delegation Validation Key** field, either:
-    * Enter a secret used to compute a signature provided for verification that the request originates from API Management. 
-    * Click the **Generate** button for API Management to generate a random key for you.
-1. Click **Save**.
+1. Choose the URL for your special delegation endpoint and enter it in the **Delegation service endpoint** field. 
+1. In **Delegation keys**:
+    * Generate the **Primary validation key** or **Secondary validation key** (or both) to use by your delegation service to validate requests from API Management. Select the ellipsis (**...**) next to either key and then select **Regenerate**.
+    * Select the ellipsis (**...**) next to either key and then select **Copy**. Copy the keys to a secure location, and use them when configuring your delegation service. 
+1. Select **Save**.
+
+> [!TIP]
+> You can rotate and regenerate the delegation validation keys at any time. Rotation replaces the primary key with the secondary key, and regenerates the secondary key. After saving the keys, make sure to update your delegation service to use the new keys.
 
 ### Create your delegation endpoint 
 
-Recommended steps for creating a new delegation endpoint to implement on your site:
+To create a new delegation endpoint to implement on your site, follow these steps:
 
 1. Receive a request in the following form, depending on the operation:
 
@@ -97,22 +101,22 @@ Recommended steps for creating a new delegation endpoint to implement on your si
 
 ## Delegating product subscription
 
-Delegating product subscriptions works similarly to delegating user sign-in/sign-up. The final workflow would be as follows:
+Delegating product subscriptions works similarly to delegating user sign-in/sign-up. The final workflow consists of these steps:
 
-1. Developer selects a product in the API Management developer portal and clicks on the **Subscribe** button.
+1. Developer selects a product in the API Management developer portal and selects the **Subscribe** button.
 1. Browser redirects to the delegation endpoint.
-1. Delegation endpoint performs required product subscription steps, which you design. They may include: 
+1. Delegation endpoint performs required product subscription steps, which you design. These steps could include: 
    * Redirecting to another page to request billing information.
-   * Asking additional questions.
+   * Asking further questions.
    * Storing the information and not requiring any user action.
 
 ### Enable the API Management functionality
 
-On the **Delegation** page, click **Delegate product subscription**.
+On the **Delegation** page, select the checkbox to **Enable delegation**, and then enable **Delegate product subscription**.
 
 ### Create your delegation endpoint
 
-Recommended steps for creating a new delegation endpoint to implement on your site:
+To create a new delegation endpoint for your site, follow these steps:
 
 1. Receive a request in the following form, depending on the operation.
 
@@ -127,14 +131,14 @@ Recommended steps for creating a new delegation endpoint to implement on your si
 
    | Parameter | Description |
    | --------- | ----------- |
-   | **operation** | Identifies the delegation request type. Valid product subscription requests options are: <ul><li>**Subscribe**: a request to subscribe the user to a given product with provided ID (see below).</li><li>**Unsubscribe**: a request to unsubscribe a user from a product</li></ul> |
+   | **operation** | Identifies the delegation request type. Valid product subscription request options are: <ul><li>**Subscribe**: a request to subscribe the user to a given product with provided ID (see below).</li><li>**Unsubscribe**: a request to unsubscribe a user from a product</li></ul> |
    | **productId** | On *Subscribe*, the product ID that the user requested subscription. |
    | **userId** | On *Subscribe*, the requesting user's ID. |
    | **subscriptionId** | On *Unsubscribe*, the product subscription ID. |
    | **salt** | A special salt string used for computing a security hash. |
    | **sig** | A computed security hash used for comparison to your own computed hash. |
 
-1. Verify that the request is coming from Azure API Management (optional, but highly recommended for security)
+1. Verify that the request comes from Azure API Management (optional, but highly recommended for security).
 
    * Compute an HMAC-SHA512 of a string based on the **productId** and **userId** (or **subscriptionId**) and **salt** query parameters:
 
@@ -148,16 +152,16 @@ Recommended steps for creating a new delegation endpoint to implement on your si
      HMAC(salt + '\n' + subscriptionId)
      ```
 
-   * Compare the above-computed hash to the value of the **sig** query parameter. If the two hashes match, move on to the next step. Otherwise, deny the request.
+   * Compare the above-computed hash to the value of the **sig** query parameter. If the two hashes match, move to the next step. Otherwise, deny the request.
 1. Process the product subscription based on the operation type requested in **operation** (for example: billing, further questions, etc.).
 1. After completing the operation on your side, manage the subscription in API Management. For example, subscribe the user to the API Management product by [calling the REST API for subscriptions].
 
 ## Example code
 
-These code samples show how to generate the hash of the `returnUrl` query parameter when delegating user sign-in or sign-up. The `returnUrl` is the URL of the page where the user clicked on the sign-in or sign-up link.
+These code samples show how to generate the hash of the `returnUrl` query parameter when delegating user sign-in or sign-up. The `returnUrl` is the URL of the page where the user clicked the sign-in or sign-up link.
 
-* Take the *delegation validation key*, which is set in the **Delegation** screen of the Azure portal.
-* Create an HMAC, which validates the signature, proving the validity of the passed returnUrl.
+* Take the *delegation validation key*, which you set in the **Delegation** screen of the Azure portal.
+* Create an HMAC, which validates the signature and proves the validity of the passed `returnUrl`.
 
 With slight modification, you can use the same code to calculate other hashes, such as with `productId` and `userId` when delegating product subscription.
 
@@ -199,8 +203,8 @@ var signature = digest.toString('base64');
 > You need to [republish the developer portal](developer-portal-overview.md#publish-the-portal) for the delegation changes to take effect.
 
 ## Related content
-- [Learn more about the developer portal.](api-management-howto-developer-portal.md)
-- [Authenticate using Microsoft Entra ID](api-management-howto-aad.md) or with [Microsoft Entra External ID](/entra/external-id/customers/overview-customers-ciam).
+- [Learn more about the developer portal](api-management-howto-developer-portal.md)
+- [Authenticate using Microsoft Entra ID](api-management-howto-aad.md) or with [Microsoft Entra External ID](/entra/external-id/customers/overview-customers-ciam)
 - More developer portal questions? [Find answers in our FAQ](developer-portal-faq.md).
 
 [Delegating developer sign-in and sign-up]: #delegate-signin-up