Apigee release notes

Model Context Protocol (MCP) support in API hub

API hub now supports the Model Context Protocol (MCP) as a first-class API style. This enables you to ingest, register, and manage MCP APIs and their associated tools.

Key capabilities include:

• MCP API registration: Register MCP APIs manually or via API hub APIs to create a single registry for your agentic services.
• MCP tools: Attach MCP specification files to your APIs. API hub parses these files to automatically extract and display the MCP tools in the UI.

For more information, see API resources overview, Register MCP APIs, and Manage MCP tools.

New add-on management page in API hub

A new Add-on Management page is now available in API hub. This page serves as a centralized location to enable, configure, and manage all your add-on services.

For more information, see Manage add-ons.

Mask KVM values

You can now turn on key value map (KVM) masking to mask values with asterisks (*****). For more information, see About KVM masking.

New API deployments view

API deployment information is now available as a separate tab in the API details page. You can view your API deployment details, create new deployments, and manage existing deployments using the API deployments tab.

For more information, see Manage deployments.

Support for aggregate data in Error Code Analysis, Cache Performance, and Target Performance charts

Announcing support for viewing aggregate data in the Error Code Analysis, Cache Performance, and Target Performance Analytics dashboards.

For information on the Analytics dashboards, see Use the Analytics dashboards.

Support for aggregate data in Error Code Analysis, Cache Performance, and Target Performance charts

Announcing support for viewing aggregate data in the Error Code Analysis, Cache Performance, and Target Performance Analytics dashboards.

For information on the Analytics dashboards, see Use the Analytics dashboards.

Secure and validate documents using WS-Security with X.509 certificates

You can now secure and validate SOAP documents using WS-Security with X.509 certificates using crypto object methods. See Secure SOAP documents using WS-Security with X.509 certificates and Validate SOAP documents using WS-Security with X.509 certificates.

Support for new Apigee Analytics regions

This release introduces Apigee Analytics support for these new regions: Hong Kong (asia-east2) and São Paulo (southamerica-east1).

NOTE: Apigee Advanced API Security does not support these new regions at this time.

For a list of all of the supported Analytics regions, see Available Apigee API Analytics regions.

Support for new Apigee Analytics regions

This release introduces Apigee Analytics support for these new regions: Hong Kong (asia-east2) and São Paulo (southamerica-east1).

NOTE: Apigee Advanced API Security does not support these new regions at this time.

For a list of all of the supported Analytics regions, see Available Apigee API Analytics regions.

Filter APIs by user-defined attributes

You can now filter APIs using your custom, user-defined attributes from the APIs page in the Google Cloud console.

For more information, see Filter resources based on attributes.

Enhanced Validation for API products

Heightened validation logic for creating and updating API products is now available. Apigee now explicitly verifies proxy and environment resources against your organization when creating and updating API products.

Please ensure that all referenced resources exist and are correctly associated with your organization to avoid validation errors.

Support for API-product scoped quotas

You can now set quotas at the API product level to limit the number of requests all API proxies in the API product can process within a specified time frame. See Configuring the quota policy to use API product quota settings for information and instructions.

NOTE: API product-scoped quotas are not supported in Apigee hybrid at this time.

API insights in API hub

API insights is now available in API hub, providing a unified view of your API traffic and performance across all connected gateways. With API insights, you can gain a holistic understanding of your API ecosystem's health and quickly identify areas for optimization.

Currently, API insights supports data sources from Apigee, Apigee hybrid, Apigee Edge Public Cloud, and Apigee Edge Private Cloud (OPDK).

For more information, see API insights overview.

Detailed API resource insights

A new Insights tab is now available on the API details page, providing API-centric analytics to help you understand usage patterns and performance for each of your APIs.

You can now analyze key metrics such as total traffic, average TPS, request/response latencies, and more, directly from the API details page.

For more information, see View API resource insights.

Introduction of the target.evaluated.url flow variable

This release includes a new flow variable, target.evaluated.url, which should be used instead of the target.url flow variable in cases when the URL is dynamically constructed based on user input.

For more information, see the target flow variables documentation.

Recurring, top-up, and setup fees for Apigee hybrid monetization

Apigee hybrid now supports recurring, top-up, and setup fees for monetization. For information see Enabling monetization for Apigee hybrid.

Apigee policies for LLM/GenAI workloads

Apigee hybrid now supports the following Apigee policies with support for LLM/GenAI workloads.

• SemanticCacheLookup policy
• SemanticCachePopulate policy
• SanitizeUserPrompt
• SanitizeModelResponse

The Apigee semantic caching policies enable intelligent response reuse based on semantic similarity. Using these policies in your Apigee API proxies can minimize redundant backend API calls, reduce latency, and lower operational costs. With this release, the semantic caching policies support URL templating, enabling the use of variables for AI model endpoint values.

The Model Armor policies protect your AI applications by sanitizing user prompts to and responses from large language models (LLMs). Using these policies in your Apigee API proxies can mitigate the risks associated with LLM usage by leveraging Model Armor to detect prompt injection, prevent jailbreak attacks, apply responsible AI filters, filter malicious URLs, and protect sensitive data.

For more information on using these policies in your Apigee API proxies, see:

• Get started with semantic caching policies
• Get started with Apigee Model Armor policies

Output from print statements is now displayed in the Debug session viewer

A new option has been added to the transaction navigation table header in the Debug session viewer that opens the Transaction output window. The Transaction output window displays print() output from either all transactions in the debug session, or a specific transaction from the session. See Creating a debug session for details.

Recurring, top-up, and setup fees for Apigee hybrid monetization

Apigee hybrid now supports recurring, top-up, and setup fees for monetization. For information see Enabling monetization for Apigee hybrid.

Introduction of exclusion lists for Abuse Detection and incidents

You can now specify CIDR ranges and IP addresses to exclude from future incident reports. Use this feature to exclude traffic known to be safe, such as requests related to automated testing.

The new functionality includes the ability to create and manage multiple "exclusion lists" which define traffic to exclude and the reasons it is excluded.

Note: Exclusion lists are not available for VPC-SC customers at this time.

For usage information, see Exclude traffic from abuse detection in the documentation.

ApigeeBackendService for the Apigee Operator for Kubernetes (GA)

The ApigeeBackendService resource for the Apigee Operator for Kubernetes is Generally Available (GA).

This new resource enables the integration of the Apigee Operator for Kubernetes with the Google Kubernetes Engine (GKE) Inference Gateway. The GKE Inference Gateway is an extension to the GKE Gateway that provides optimized routing and load balancing for serving generative Artificial Intelligence (AI) workloads. It simplifies the deployment, management, and observability of AI inference workloads.

With this new integration, GKE Inference Gateway users can now leverage Apigee's full suite of features to manage, govern and monetize their AI workload through APIs.

To learn more, see Create an ApigeeBackendService.

New security actions status icons and "expired" note in the security actions UI

This release adds security status icons to the Apigee UI to make it easier to see, at a glance, whether a security action is enabled, disabled, or paused, and an "expired" note when an action is expired.

The status icons display next to the action's status in the security actions list and in the security action details page.

For information on security actions and security action statuses, see the Security Actions customer documentation.

Improvements to the Abuse Detection incident model

This release includes improvements to the incident model, including lower noise and higher accuracy for abuse detection incidents.

Note: This feature is not currently available to customers with VPC-SC enabled.

For information on abuse detection incidents, see the Abuse Detection customer documentation.

Added icon to proxy and sharedflow editor to mark unused policies

If a policy has yet to be attached to any flow in the configuration, an icon now displays next to that policy in the Proxy Editor side navigation to signify that the policy is currently unused in the proxy or sharedflow.

Enable and disable semantic search

You can now enable and disable semantic search from the API hub > Settings> Actions page in the Google Cloud console.

For more information, see Enable and disable semantic search.

Workforce Identity Federation users can now manage Integrated Portals using the Apigee Cloud console. This previous limitation has been removed from Accessing features only available in the Classic Apigee UI.

Workforce Identity Federation users can now manage Integrated Portals using the Apigee Cloud console. This previous limitation has been removed from Accessing features only available in the Classic Apigee UI.

Apigee policies for LLM/GenAI workloads are Generally Available (GA)

Four new Apigee policies supporting LLM/GenAI workloads are now GA:

• SemanticCacheLookup policy
• SemanticCachePopulate policy
• SanitizeUserPrompt
• SanitizeModelResponse

The Apigee semantic caching policies enable intelligent response reuse based on semantic similarity. Using these policies in your Apigee API proxies can minimize redundant backend API calls, reduce latency, and lower operational costs. With this release, the semantic caching policies support URL templating, enabling the use of variables for AI model endpoint values.

The Model Armor policies protect your AI applications by sanitizing user prompts to and responses from large language models (LLMs). Using these policies in your Apigee API proxies can mitigate the risks associated with LLM usage by leveraging Model Armor to detect prompt injection, prevent jailbreak attacks, apply responsible AI filters, filter malicious URLs, and protect sensitive data.

For more information on using these policies in your Apigee API proxies, see:

• Get started with semantic caching policies
• Get started with Apigee Model Armor policies

Apigee Server-Sent Events (SSE) and EventFlows are supported for use with the Apigee Extension Processor.

The Apigee SSE feature enables continuous response streaming from server-sent event (SSE) endpoints to clients in real time. To learn more about this feature, see Streaming server-sent events.

The Apigee Extension Processor is a traffic extension that lets you use Cloud Load Balancing to send callouts from the data processing path of the application load balancer to the Apigee Extension Processor. To learn more, see the Apigee Extension Processor overview.

Debug view settings are now retained when switching between transactions

When switching between transactions in the debug view the following view settings are now retained:

• The state of the expand all toggle
• The zoom level of the graph
• The positioning of the viewport in the graph (best effort). This may be modified due to discrepancies in between the transactions
• The search filter. The active match will go into an indeterminate when switching transactions.

Added Display name column to Apps table

Added a column to the Apps table to show the App display name separate from the App name. The App name column will no longer show the display name if one is set. Instead the display name will appear in the new Display name column. You can also now filter by the App name and Display name independently.

Additional details and explanations for incidents and traffic identified as anomalous in Abuse Detection Advanced Anomaly Detection

Starting with this release, additional details are available for anomalies detected in incidents and detected traffic, including details on why traffic was flagged as anomalous, the days and times it triggered, time series charts showing anomalous traffic spikes, and direct links to the Google Cloud Logging for events.

See the Abuse detection "Details view" for more information.

Create and delete custom plugins in the UI

You can now create and delete custom plugins from the API hub > Settings > Plugins page in the Google Cloud console.

For more information, see Create custom plugins and Manage custom plugins.

Deprovision API hub in the UI

You can now deprovision an API hub instance from the API hub > Settings > Actions page in the Google Cloud console.

For more information, see Deprovision Apigee API hub.

Added Name column to API Products table

Added a column to the API Products table to display the product name. You can now filter and sort by the product name. The link to the API product detail page is now in the Name column instead of the Display Name column.

API observations in API hub (Preview)

API observations in API hub helps you tackle the challenges of undocumented and unmanaged APIs in your API infrastructure. It leverages Apigee shadow API discovery and uses automated discovery processes to bring all your APIs, across Google Cloud projects, into a unified, managed view.

For more information, see API observations in API hub.

Added path column to Debug transaction table

A new column has been added to the transactions table in the Debug view that specifies the path that was used by the transaction to call the proxy.

Improved performance when viewing IP address-specific details for abuse detection incidents

With this release, the IP address detail information for abuse incidents displays more quickly for IP addresses with high traffic volumes, potentially reducing load times from minutes to seconds.

For usage information, see the Abuse Detection incident detail documentation.

Availability of Shadow API Discovery for APIs in any Google Cloud project

Using Shadow API Discovery, you can find undocumented/shadow APIs in your existing cloud infrastructure. Shadow APIs pose a security risk to your system, since they might be unsecured, unmonitored, and unmaintained.

With this release, you can configure and run API observation jobs in any Google Cloud project, without needing to provision Apigee in that project. You can also centrally view the results of API observation jobs and compare discovered API endpoints and operations to APIs cataloged in API hub to identify shadow APIs.

See the Shadow API Discovery overview for information on Shadow API Discovery and how to add it to projects.

Terraform support for configuring Advanced API Security

We have expanded our Terraform support for Advanced API Security, enabling you to automate the management of your security posture. You can now use Terraform to manage add-on enablement for Subscription and PAYG environments, create Risk Assessment security profiles and monitoring conditions, configure IP address resolution, and create security actions.

For information, see Configure Advanced API Security using Terraform.

Server-sent events and EventFlows are Generally Available (GA)

Apigee supports continuous response streaming from server-sent event (SSE) endpoints to clients in real time. The Apigee SSE feature is useful for handling large language model (LLM) APIs that operate most effectively by streaming their responses back to the client. SSE streaming reduces latency, and clients can receive response data as soon as it is generated by an LLM. This feature supports the use of AI agents that operate in real time environments, such as customer service bots or workflow orchestrators. For more information, see Streaming server-sent events.

Streaming from SSE endpoints is available in Apigee and in Apigee hybrid v1.15.0 and newer.

New data source support for plugins

API hub now supports importing API metadata through new dedicated plugins for the following data sources:

1. Apigee Edge Public Cloud
2. Apigee Edge Private Cloud (OPDK)

For more information, see Plugins overview.

Push-based plugin ingestion

API hub now supports push-based plugin ingestion. This method allows for more real-time synchronization of API metadata. All new Apigee, Apigee hybrid, Apigee Edge Public Cloud, and Apigee Edge Private Cloud (OPDK) plugins are created with push-based ingestion by default.

For more information, see Plugin data ingestion methods.

Create custom plugins [API only]

You can now use the Create Plugin API to create custom plugins in API hub. Custom plugins are created manually to connect API hub to a specific API data source.

For more information, see Create custom plugins.

Server-sent events and EventFlows are Generally Available (GA)

Apigee supports continuous response streaming from server-sent event (SSE) endpoints to clients in real time. The Apigee SSE feature is useful for handling large language model (LLM) APIs that operate most effectively by streaming their responses back to the client. SSE streaming reduces latency, and clients can receive response data as soon as it is generated by an LLM. This feature supports the use of AI agents that operate in real time environments, such as customer service bots or workflow orchestrators. For more information, see Streaming server-sent events.

Streaming from SSE endpoints is available in Apigee and in Apigee hybrid v1.15.0 and newer.

Apigee and hybrid plugin instance management

You can now create and delete plugin instances for Apigee and Apigee Hybrid while associating the respective Apigee runtime projects to API hub.

For more information, see Auto-register Apigee proxies.

Support for editing and deleting security actions

With this release you can edit and delete existing security actions using either the UI or the Apigee Management APIs.

For usage information, see the security actions documentation.

Support for AppGroups in Abuse Detection attributes

Abuse Detection incidents and detected traffic now show information on AppGroups and AppGroup apps when the AppGroup is part of the request or traffic.

Note: This functionality is not available in Apigee hybrid at this time.

For usage information, see the Abuse Detection documentation.

Addition of AppGroup-specific Analytics dimensions for Custom Reports

This release introduces two new AppGroups Analytics dimensions: AppGroup Name and AppGroup App Name.

Use these dimensions with custom reports and report jobs to group metrics by a specific AppGroup or a specific app within an AppGroup.

For additional information see Analytics dimensions and Creating and managing custom reports.

Addition of AppGroup-specific Analytics dimensions for Custom Reports

This release introduces two new AppGroups Analytics dimensions: AppGroup Name and AppGroup App Name.

Use these dimensions with custom reports and report jobs to group metrics by a specific AppGroup or a specific app within an AppGroup.

For additional information see Analytics dimensions and Creating and managing custom reports.

This release adds the Export feature to the Apigee UI in the Cloud console. You can now export publishing data for developers, apps, or API products as a comma-separated values (CSV) file or JSON file.

Documentation: Exporting publishing data

Addition of AppGroup-specific Analytics dimensions for Custom Reports

This release introduces two new AppGroups Analytics dimensions: AppGroup Name and AppGroup App Name.

Use these dimensions with custom reports and report jobs to group metrics by a specific AppGroup or a specific app within an AppGroup.

For additional information see Analytics dimensions and Creating and managing custom reports.

Addition of AppGroup-specific Analytics dimensions for Custom Reports

This release introduces two new AppGroups Analytics dimensions: AppGroup Name and AppGroup App Name.

Use these dimensions with custom reports and report jobs to group metrics by a specific AppGroup or a specific app within an AppGroup.

For additional information see Analytics dimensions and Creating and managing custom reports.

This release adds the Export feature to the Apigee UI in the Cloud console. You can now export publishing data for developers, apps, or API products as a comma-separated values (CSV) file or JSON file.

Documentation: Exporting publishing data

API address drill down details are now available in the preview release of Advanced API Security Abuse Detection incidents in the detected traffic tab.

This new functionality shows details related to specific API addresses when viewing detected abuse in detected traffic.

For usage information, see the Abuse Detection customer documentation for incident details.

Starting with this release, the API proxy performance dashboard includes aggregate metrics such as the average TPS (transactions per second) with each chart.

For information and usage instructions for the API proxy performance dashboard, see the API proxy performance dashboard customer documentation.

Starting with this release, the API proxy performance dashboard includes aggregate metrics such as the average TPS (transactions per second) with each chart.

For information and usage instructions for the API proxy performance dashboard, see the API proxy performance dashboard customer documentation.

Starting with this release, the API proxy performance dashboard includes aggregate metrics such as the average TPS (transactions per second) with each chart.

For information and usage instructions for the API proxy performance dashboard, see the API proxy performance dashboard customer documentation.

Starting with this release, the API proxy performance dashboard includes aggregate metrics such as the average TPS (transactions per second) with each chart.

For information and usage instructions for the API proxy performance dashboard, see the API proxy performance dashboard customer documentation.

New model for Abuse Detection's Advanced Anomaly Detection rule

With this release, we introduced a new and improved machine learning model for anomaly detection in Advanced API Security. This new model includes the following improvements:

• Trained on customer-specific traffic patterns. The new model is trained exclusively on your organization's historical API traffic data. It continues to learn from your API traffic patterns over time to increase accuracy.
• Engineered by Google for anomaly detection. The new model is a custom Vertex AI-based machine learning model, engineered and also used internally by Google specifically to detect anomalies in traffic patterns.

Usage requirements:

• In order to use this new model, you must explicitly opt in to allow the model to use your traffic and other data to train for anomaly detection. Note that your data is never shared with other customers for training purposes.
• The new model is not available for VPC-SC customers at this time.

The new anomaly detection model replaces the old model, with no customer-facing changes to the API or UI. Upon opting in for model training, you can expect to start seeing detected anomalies within 6 hours. If you have already opted in to allow the older version of our anomaly detection model to use your traffic data for training, you will not need to opt in again.

For more information on this model and on Abuse Detection, see Abuse Detection customer documentation, including Detection rules.

Large message payload support in Apigee hybrid

Apigee now supports message payloads up to 30MB. You configure support for large message payloads in Apigee hybrid for individual environments or for your whole installation. See Configure large message payload support in Apigee hybrid.

Apigee API hub is enabled for new Apigee organizations in supported regions.

With this release, we are enabling Apigee API hub for new Apigee organizations in regions where API hub is supported. All new Apigee organizations, including hybrid organizations, that select an API hub-supported region for their Apigee Analytics region during provisioning will have access to API hub features at no additional cost.

API hub allows you to view, organize, and manage all of the APIs in your Apigee organization in one central location. To learn more, see What is Apigee API hub?

No action on your part is required to provision API hub for your organization, with the following exceptions:

• If your Apigee organization has Data Residency or VPC Service Controls enabled, you must configure your API hub instance manually to support these services. See VPC Service Controls for API hub and API hub and data residency for more information.
• If your Apigee organization uses Customer-Managed Encryption Keys (CMEK), you must deprovision the Apigee API hub instance provided by default and recreate it to support CMEK. See Deprovision Apigee API hub and Provision API hub in the Cloud console for step-by-step instructions.

Contact Google Cloud Support for questions or assistance.

Apigee API hub is enabled for new Apigee organizations in supported regions.

With this release, we are enabling Apigee API hub for new Apigee organizations in regions where API hub is supported. All new Apigee organizations, including hybrid organizations, that select an API hub-supported region for their Apigee Analytics region during provisioning will have access to API hub features at no additional cost.

API hub allows you to view, organize, and manage all of the APIs in your Apigee organization in one central location. To learn more, see What is Apigee API hub?

No action on your part is required to provision API hub for your organization, with the following exceptions:

• If your Apigee organization has Data Residency or VPC Service Controls enabled, you must configure your API hub instance manually to support these services. See VPC Service Controls for API hub and API hub and data residency for more information.
• If your Apigee organization uses Customer-Managed Encryption Keys (CMEK), you must deprovision the Apigee API hub instance provided by default and recreate it to support CMEK. See Deprovision Apigee API hub and Provision API hub in the Cloud console for step-by-step instructions.

Contact Google Cloud Support for questions or assistance.

New flow variables available for VerifyAPIKey policy

Two new flow variables have been added to the VerifyAPIKey policy.

• app_group_app
• app_group_name

To learn more, see Using flow variables.

Announcing the general availability of Gemini Code Assist API development features in Apigee

With this functionality, you can accelerate your API development lifecycle within VS Code using Gemini Code Assist in Apigee. This feature allows you to use natural language prompts to design, create, iterate, and manage OpenAPI specifications with the following capabilities:

• AI-Powered API Design: Generate high-quality OpenAPI specifications from natural language prompts to the Apigee tool in Gemini Code Assist Chat, leveraging the Gemini model and the enterprise context of your API hub.
• Effortless Iteration: Refine existing or newly generated specifications using the intuitive Gemini chat interface.
• Integrated Testing: Quickly validate your APIs by deploying them to a local or Google Cloud-hosted mock server.
• Streamlined Workflow: Publish your completed API specifications directly to Apigee API hub and kick-start proxy development by creating Apigee proxy bundles from your API specifications.
• Duplicate Endpoint Detection: Proactively identify and prevent the creation of duplicate API endpoints already registered in your API hub.

For more information and usage instructions, see Designing and editing APIs, Tutorial: Use Gemini Code Assist to design, develop, and test APIs in Apigee, and Setting up Apigee API Management in Cloud Code for VS Code.

GA: Apigee Integrated Developer Portal Admin UI in the Google Cloud console.

This release adds the Apigee Integrated Developer Portal Admin UI from the Classic Apigee UI into the Google Cloud console.

Leveraging Google Cloud console components provides API providers and Portal Admins with a centralized platform to efficiently configure, publish, and manage your API consumer portals, eliminating the need to switch between different UIs.

No new APIs have been introduced in this release.

See Publishing overview to get started.

GA: Apigee Integrated Developer Portal Admin UI in the Google Cloud console.

This release adds the Apigee Integrated Developer Portal Admin UI from the Classic Apigee UI into the Google Cloud console.

Leveraging Google Cloud console components provides API providers and Portal Admins with a centralized platform to efficiently configure, publish, and manage your API consumer portals, eliminating the need to switch between different UIs.

No new APIs have been introduced in this release.

See Publishing overview to get started.

Public Preview: Apigee Extension Processor support for request and response body processing

When creating a load balancer service extension, you can customize the behavior of the extension processor proxy to support request body processing, response body processing, or a combination of the two.

For more information, see Get started with the Apigee Extension Processor.

With this release, Advanced API Security expands its runtime region support to include africa-south1 (Johannesburg).

For a list of supported regions, see Apigee locations.

Public preview of server-sent events

Apigee now supports continuous response streaming from server-sent event (SSE) endpoints to clients in real time. The Apigee SSE feature is useful for handling large language model (LLM) APIs that operate most effectively by streaming their responses back to the client. SSE streaming reduces latency, and clients can receive response data as soon as it is generated by an LLM. This feature supports the use of AI agents that operate in real time environments, such as customer service bots or workflow orchestrators. For more information, see Streaming server-sent events.

Public Preview of Apigee policies for LLM/GenAI workloads

Four new Apigee policies supporting LLM/GenAI workloads are now available in Public Preview:

• SemanticCacheLookup policy
• SemanticCachePopulate policy
• SanitizeUserPrompt
• SanitizeModelResponse

The Apigee semantic caching policies enable intelligent response reuse based on semantic similarity. Using these policies in your Apigee API proxies can minimize redundant backend API calls, reduce latency, and lower operational costs.

The Model Armor policies protect your AI applications by sanitizing user prompts to and responses from large language models (LLMs). Using these policies in your Apigee API proxies can mitigate the risks associated with LLM usage by leveraging Model Armor to detect prompt injection, prevent jailbreak attacks, apply responsible AI filters, filter malicious URLs, and protect sensitive data.

For more information on using these policies in your Apigee API proxies, see:

• Get started with semantic caching policies
• Get started with Apigee Model Armor policies

Advanced API Security Abuse Detection incident reports now include the ability to view raw data

With this new functionality, you can view raw data underlying an incident report, including client IP address, API proxy, developer app, and other attributes.

For usage information, see the Abuse Detection customer documentation.

API overview and metrics

The Get Started with API hub page now includes new charts and scorecards to provide a quick overview of your API landscape.

For more information see Get started with API hub.

Improvements to the AppGroups functionality

Scopes and attributes can now be added to the AppGroup App Key via a POST operation on the key using the appGroupAppKey. See the updateAppGroupAppKey API for details.

Large message payload support in Apigee

Apigee now supports message payloads up to 30MB. For more information, see:

• Message payload size.
• Properties in the ProxyEndpoint configuration elements reference.
• Properties in the TargetEndpoint configuration elements reference.

Improvements to the PublishMessage policy

The PublishMessage policy now supports two new elements:

• The <UseMessageAsSource> element uses request or response message content as the source of data to be written to Pub/Sub. For more information, see <UseMessageAsSource>.

• The <Attributes> element lets you specify string attributes (key/value pairs) to include with the request or response message that is written to Pub/Sub. For more information, see <Attributes>.

Apigee now offers a Management API that allows users to list all recent debug sessions for a given proxy, regardless of revision or environment and current deployment status. This API is available for use, and is now used to populate all recent debug sessions in the Apigee Debug UI.

For more information on this method, see: organizations.apis.debugsessions.list

Apigee now offers a Management API that allows users to list all recent debug sessions for a given proxy, regardless of revision or environment and current deployment status. This API is available for use, and is now used to populate all recent debug sessions in the Apigee Debug UI.

For more information on this method, see: organizations.apis.debugsessions.list

Large message payload support in Apigee

Apigee now supports message payloads up to 30MB. For more information, see:

• Message payload size.
• Properties in the ProxyEndpoint configuration elements reference.
• Properties in the TargetEndpoint configuration elements reference.

Improvements to the PublishMessage policy

The PublishMessage policy now supports two new elements:

• The <UseMessageAsSource> element uses request or response message content as the source of data to be written to Pub/Sub. For more information, see <UseMessageAsSource>.

• The <Attributes> element lets you specify string attributes (key/value pairs) to include with the request or response message that is written to Pub/Sub. For more information, see <Attributes>.

Large message payload support in Apigee hybrid

Apigee now supports message payloads up to 30MB. For information see:

• Message payload size
• runtime.resources.limits.memory in the Configuration property reference.
• runtime.resources.requests.memory in the Configuration property reference.

Apigee API hub is enabled for existing Apigee organizations in supported regions.

With this release, we are enabling Apigee API hub for existing Apigee organizations in regions where API hub is supported. All existing Apigee organizations, including hybrid organizations, that selected an API hub-supported region for their Apigee Analytics region will have access to API hub features at no additional cost.

API hub allows you to view, organize, and manage all of the APIs in your Apigee organization in one central location. To learn more, see What is Apigee API hub?

The process of enabling API hub for these organizations will continue over the next several weeks until all eligible organizations are updated. No action on your part is required to provision API hub for your organization, with the following exceptions:

• If your Apigee organization has Data Residency or VPC Service Controls enabled, you must configure your API hub instance manually to support these services. See VPC Service Controls for API hub and API hub and data residency for more information.
• If your Apigee organization uses Customer-Managed Encryption Keys (CMEK), you must deprovision the Apigee API hub instance provided by default and recreate it to support CMEK. See Deprovision Apigee API hub and Provision API hub in the Cloud console for step-by-step instructions.

Contact Google Cloud Support for questions or assistance.

Apigee API hub is enabled for existing Apigee organizations in supported regions.

With this release, we are enabling Apigee API hub for existing Apigee organizations in regions where API hub is supported. All existing Apigee organizations, including hybrid organizations, that selected an API hub-supported region for their Apigee Analytics region will have access to API hub features at no additional cost.

API hub allows you to view, organize, and manage all of the APIs in your Apigee organization in one central location. To learn more, see What is Apigee API hub?

The process of enabling API hub for these organizations will continue over the next several weeks until all eligible organizations are updated. No action on your part is required to provision API hub for your organization, with the following exceptions:

• If your Apigee organization has Data Residency or VPC Service Controls enabled, you must configure your API hub instance manually to support these services. See VPC Service Controls for API hub and API hub and data residency for more information.
• If your Apigee organization uses Customer-Managed Encryption Keys (CMEK), you must deprovision the Apigee API hub instance provided by default and recreate it to support CMEK. See Deprovision Apigee API hub and Provision API hub in the Cloud console for step-by-step instructions.

Contact Google Cloud Support for questions or assistance.

Public Preview: Apigee Integrated Developer Portal Admin UI in the Google Cloud console.

This release adds the Apigee Integrated Developer Portal Admin UI from the Classic Apigee UI into the Google Cloud console.

Leveraging Google Cloud console components provides API providers and Portal Admins with a centralized platform to efficiently configure, publish, and manage your API consumer portals, eliminating the need to switch between different UIs.

No new APIs have been introduced in this release.

See Publishing overview to get started.

Public Preview: Apigee Integrated Developer Portal Admin UI in the Google Cloud console.

This release adds the Apigee Integrated Developer Portal Admin UI from the Classic Apigee UI into the Google Cloud console.

Leveraging Google Cloud console components provides API providers and Portal Admins with a centralized platform to efficiently configure, publish, and manage your API consumer portals, eliminating the need to switch between different UIs.

No new APIs have been introduced in this release.

See Publishing overview to get started.

Announcing data collectors data residency (DRZ) compliance for Apigee and Apigee hybrid.

Data collectors can be used with data residency for Subscription and Pay-as-you-go organizations and hybrid versions 1.14.0 and later.

See Data residency compatibility for information.

Announcing data collectors data residency (DRZ) compliance for Apigee and Apigee hybrid.

Data collectors can be used with data residency for Subscription and Pay-as-you-go organizations and hybrid versions 1.14.0 and later.

See Data residency compatibility for information.

The Apigee Extension Processor is now generally available (GA).

The Apigee Extension Processor lets Apigee customers add API management capabilities to Google Cloud and third-party products and services exposed using Cloud Load Balancing. Select from a range of Apigee policies that enable you to:

• Secure access to your workloads.
• Apply quota enforcement to network traffic.
• Manage Google access token and Google ID token injection to authenticate requests.
• Support native protocols like gRPC, SSE, and HTTP/3.

For more information, see the Apigee Extension Processor overview.

VPC Service Controls (VPC-SC) integration (Preview)

API hub now integrates with VPC Service Controls, providing enhanced network security for your API hub instance provisioned in Google Cloud. Establish service perimeters to control ingress and egress traffic. For more information, see VPC Service Controls for API hub.

Data residency zone compliance

API hub is now compliant with data residency Zone C3 requirements.

For more information, see API hub and data residency.

Terraform support for provisioning

You can now provision API hub instances programmatically using Terraform for Google Cloud within Cloud Shell, enabling infrastructure-as-code practices. For more information, see Provision API hub using Terraform.

Deprovision an API hub instance [API only]

You can now delete an API hub instance from your Google Cloud project using the ApiHubInstance API. For more information, see Deprovision Apigee API hub.

API Supply chain graph view

Visualize and understand the dependencies within your API ecosystem with the new interactive API supply chain graph view. This directed graph allows you to explore the relationships between your APIs and API operations. For more information, see API Supply chain views.

API Metadata Curations

API hub introduces a curation process to transform and enrich API metadata ingested by plugins. This ensures consistency across different sources, enabling effective governance, discovery, and management of your APIs. For more information, see Curations overview.

Enhancements to the Operations entity [API only]

You can now add, edit, or delete operations for an API version even if it lacks a specification file or has an unparsable one. For more information, see Manage operations.

Plugin Framework

API hub now uses a plugin framework to connect and ingest API metadata from various Google Cloud services and external sources where your APIs are managed or defined. This provides a flexible and extensible way to integrate with your existing API landscape. For more information, see Plugins overview.

New flow variable suffixes available for accessing base64-encoded message content.

There are two new read-only flow variable suffixes available for accessing message content in base64-encoded form:

• content.as.base64
• content.as.url.safe.base64

These variable suffixes can be used with the request, response, and message objects, as well as with any Message object created implicitly during API proxy execution when using the AssignMessage or ServiceCallout policies.

For more information, see Flow variables reference.

Availability of client IP resolution functionality with Apigee hybrid.

Client IP resolution functonality is now available with Apigee hybrid versions 1.14.0 and later.

See Client IP resolution for information.

Availability of client IP resolution functionality with Apigee hybrid.

Client IP resolution functonality is now available with Apigee hybrid versions 1.14.0 and later.

See Client IP resolution for information.

New features added to public preview of Risk Assessment v2

This release introduces new features to the Risk Assessment v2 preview:

• Security monitoring conditions. Security monitoring conditions allow you to map resources (proxies or environments) to security profiles. Cloud Monitoring can then use this mapping to alert or create dedicated dashboards so that you can track security scores over time.
• Alerts on security monitoring conditions. Once you've created a monitoring condition, you can set up alerts using Alerting in Cloud Monitoring so that you're notified when the security scores change.

For information on monitoring conditions features and usage see monitoring conditions and alerts. For usage information and a list of all features in Risk Assessment v2, see the Risk Assessment v2 customer documentation.

Note: Rollouts of this functionality to production instances will begin within two business days and may take four or more business days to complete across all Google Cloud zones. Your instances may not have the feature available until the rollout is complete.

Apigee Spaces is now generally available (GA) for use in Apigee organizations.

Apigee Spaces enables identity-based isolation and grouping of API resources within an Apigee organization. With Apigee Spaces, you can have granular IAM control over access to your API proxies, shared flows, and API products.

Spaces also provide the option of resource isolation at a team level, providing a clear separation of resources associated with different teams operating within the same Apigee organization. IAM policies can be applied at the Space level, eliminating the need to manage permissions individually for every API proxy, shared flow, and API product.

Spaces are a brand new resource type with resource-level permissions. This means that Space permissions are not subject to the 64k limitation for project-level IAM conditions. Each space has its own 64k limit.

To learn more, see Apigee Spaces overview.

For Apigee organizations set up without VPC peering, you can now configure Apigee to resolve your private domains by peering your DNS zones with Apigee. See Connecting with private DNS peering zones.

Availability of data obfuscation support with Advanced API Security

With this release, data obfuscation can be used with Advanced API Security.

For usage information, see Obfuscate user data for Apigee API Analytics and Data obfuscation with Advanced API Security.

Overview

This release introduces a redesigned debugging experience for API proxies in the Apigee UI, which is available in Google Cloud console.

This new feature, Debug Sequence View (v2), addresses user feedback and aims to streamline the process of identifying and resolving issues in your API proxies.

We believe that Debug Sequence View will significantly improve the API proxy debugging experience. We encourage you to try it out and provide your valuable feedback as we continue to refine and enhance this feature!

Key highlights

• Intuitive horizontal layout:
  The new Debug Sequence View (v2) features a horizontal sequence diagram, mirroring the familiar layout of the classic Apigee Console UI, making it easier to understand the flow of your API proxy transactions at a glance.
• Enhanced clarity:
  The horizontal visualization, coupled with improved grouping of events, provides a clearer picture of policy execution, highlighting errors and their context within the transaction flow.
• Streamlined workflow:
  Debug Sequence View (v2) is designed to reduce the need for disruptive pop-ups and sifting through events, offering a smoother and more focused debugging experience. Reimagined icons help quickly understand a transaction at a glance.
• Feature parity:
  Debug Sequence View (v2) is designed for users already familiar with debugging in Apigee Classic UI to quickly be proficient.
• Search:
  You can now search for a specific string in the sequence diagram and details pane.
• Improved API status display:
  The API status display in the transaction list has been improved for increased readability.
• Consolidated FlowInfo events:
  FlowInfo events are now grouped together in the sequence diagram.
• Target URL displayed:
  Displayed target URL on "Request Sent" node when relevant

IAM conditions for fine-grained access

API hub now integrates with IAM Conditions, enabling you to define and enforce granular, conditional attribute-based access control for your API hub resources. For more information, see Add IAM conditions.

This release includes general improvements to performance and availability.

This release includes general improvements to performance and availability.

GA of Apigee analytics dashboards in Google Cloud console

You can now access these dashboards in the Apigee UI in Google Cloud console:

• Analytics > Developer analysis > Developer engagement
• Analytics > Developer analysis > Traffic composition
• Analytics > End user analysis > Devices
• Analytics > End user analysis > Geomap

Public Preview of the Apigee APIM Operator for Kubernetes

The Apigee APIM Operator for Kubernetes (Preview) allows you to perform API management tasks using Kubernetes tools. It is designed to support cloud-native developers by providing a command-line interface that integrates with familiar Kubernetes tools like kubectl. The operator works by using various APIM resources to keep your Google Kubernetes Engine (GKE) cluster synchronized with the Apigee runtime.

For more information, see Apigee APIM Operator for Kubernetes overview.

Resource filtering with user-Defined attributes

You can now filter API hub resources based on user-defined attributes using a REST API call. For more information, see Filter resources based on user attributes.

Shadow API Discovery latency improvements

This release improves Shadow API Discovery and removes the latency impact on load balancers previously documented as part of Shadow API Discovery enablement.

For more information on Shadow API Discovery, see the Shadow API Discovery customer documentation.

API key drill down details are now available in the preview release of Advanced API Security Abuse Detection incidents.

This new functionality allows viewing details of detected abuse by the API key used to access the API.

For usage information, see the Abuse Detection customer documentation for incident details.

UI support for environment-level client IP address resolution

This release introduces the ability to view the client IP address resolution setting for an environment in the Apigee Console.

For more information and usage instructions, see the Client IP resolution customer documentation.

Support for environment-level client IP address resolution

This release introduces the ability to specify, per environment, how to capture the client IP address on API requests from the X-Forwarded-For header. When configured for the environment, the specified client IP address is used to apply security actions, populate the ax_resolved_client_ip Analytics variable and the new client.resolved.ip flow variable. The new configuration option can be used to specify the request IP address used in Advanced API Security.

This functionality is not available in Apigee hybrid at this time.

For more information and usage instructions, see the Client IP resolution customer documentation, Analytics dimensions, and client flow variable.

Support for environment-level client IP address resolution

This release introduces the ability to specify, per environment, how to capture the client IP address on API requests from the X-Forwarded-For header. When configured for the environment, the specified client IP address is used to apply security actions, populate the ax_resolved_client_ip Analytics variable and the new client.resolved.ip flow variable. The new configuration option can be used to specify the request IP address used in Advanced API Security.

This functionality is not available in Apigee hybrid at this time.

For more information and usage instructions, see the Client IP resolution customer documentation, Analytics dimensions, and client flow variable.

Enhanced Per-environment Proxy Limits in Apigee Hybrid

Starting in version v1.14, new Apigee hybrid organizations can be provisioned with the ability to deploy more than 50 proxies per environment enabled. This feature is already available for Apigee X.

Starting with Apigee hybrid version 1.14, the limits for Apigee hybrid organizations have increased:

• The maximum number of deployed API proxies and shared flows per organization is 6000.
• The maximum number of proxy deployment units per Apigee instance is 6000.
• The maximum number of API base paths per Apigee organization is 3000.

When more than 50 proxies are deployed in an environment, Apigee will automatically partition the environment into several distinct replica sets, each containing a subset of proxies deployed in the environment. These replica subsets are equivalent in behavior and infrastructure resource usage to a single environment in the way it loads and runs a set of proxies and other environment resources. This will be transparent to the user, and you can continue to use the environment as you would a single environment.

See:

• Enhanced per-environment proxy limits
• Subscription 2024

Forward Proxy allowlist access

Starting in version v1.14, forward proxies pass through access to allowlisted URLs. Therefore you only need to configure allowlists to googleapis.com URLs on the server on which the forward proxy is configured. See:

• Google Cloud URLs to allow for Hybrid
• Using Data Residency with Apigee hybrid: URL allowlisting
• Configure forward proxying for API proxies

Guardrails checks to ensure backups before upgrade

Starting in version 1.14 new guardrails checks have been added to ensure a backup is enabled and has been made before proceeding with an upgrade. See:

• Upgrading Apigee hybrid to version v1.14
• Diagnosing issues with guardrails

Enable and disable metrics-based scaling with customAutoscaling.enabled

Starting in version v1.14, you can enable and disable metrics-based auto-scaling with the customAutoscaling.enabled configuration property. See:

• Scale and autoscale runtime services: Metrics-based scaling
• customAutoscaling.enabled

Cassandra credential rotation

Starting in version v1.14, you can rotate Cassandra credentials in Kubernetes secrets. In addition, you can now roll back credential rotation before the cleanup job is initiated in both Vault and Kubernetes secrets. See:

• Rotating Cassandra credentials in Kubernetes secrets
• Rotating Cassandra credentials in Vault: Rolling back a rotation
• Rotating Cassandra credentials in Kubernetes secrets: Rolling back a rotation

New analytics and debug data pipeline for hybrid orgs

Starting with version 1.14, Apigee hybrid orgs can use a new data pipeline to collect analytics and debug data and allow various runtime components to write data directly to our control plane. Control plane access is required to enable the new data pipeline.

See:

• Enable Control Plane access
• Configure hybrid to use the new data pipeline (v1.14.0 only)

IP address drill down details are now available in the preview release of Advanced API Security Abuse Detection Incidents.

This new functionality allows viewing details of detected abuse by source IP.

For usage information, see the Abuse Detection customer documentation.

In addition to us-central1 and europe-west1, Apigee API hub now supports the following new hosting regions:

See Provision API hub.

Apigee no longer limits the number of Cloud projects that can connect to an Apigee instance. Previously, the limit was 50 projects. For each project, you can now create up to 100 Private Service Connect Network Endpoint Groups. The previous limit was 20. For any Apigee instances created before October 10, 2024, you must perform an update to the consumer accept list for an Apigee instance if you want to take advantage of these new limits. See Updating the consumer accept list for an Apigee instance. See also Limits.

New features added to the Risk Assessment v2 preview

This release introduces new features to the Risk Assessment v2 preview:

• Support for custom security profiles. You can create your own security profiles, with unique combinations of risk assessment checks and weights, to use for proxy risk assessment.
• New assessment checks. We've added additional checks you can use when assessing proxy risk.
• Assess proxies across multiple profiles. You can now switch between security profiles to see differences in scoring across profiles.

For usage information and a list of all features in Risk Assessment v2, see the Risk Assessment v2 customer documentation.

New analytics and debug data pipeline for data residency-enabled orgs

Starting in v1.13.1 hybrid organizations created with data residency enabled must use the new data pipeline to collect analytics and debug data and allow various runtime components to write data directly to our control plane. Changes to overrides file and control plane access are required to enable the new data pipeline.

For details, see:

• Enabling the new data pipeline.
• Configure hybrid to use the new data pipeline

Cassandra credential rotation in Vault

Starting in version v1.3.1, You can set up automatic Cassandra credential rotation when your credentials are stored in Hashicorp Vault. See Rotating Cassandra credentials in Hashicorp Vault.

With this release, all remaining Apigee API Management organizations with Subscription 2021 contracts have been upgraded to introduce standard and extensible API proxy features.

To learn more about:

• Standard and Extensible API Proxy types, see API Proxy types.
• Viewing proxy deployment count, see View proxy deployment usage.

We added a new Supply chain page where you can create, view and manage your dependencies across API operations. The same dependencies can also be created from the API operations page. See Manage dependencies.

A new "Get started with API hub" page was added to the user interface. This new page includes valuable getting started information, including a new FAQ, to help you get the most out of API hub.

The Semantic Search (formerly Smart Search) user interface has been improved, and search results are shown across all API hub entities, such as APIs, deployments, specifications, and versions. See Search and filter APIs.

We added support for GMEK and CMEK in the provisioning steps. While provisioning, you can also choose to host your Vertex search data in a different location or disable Vertex search altogether. See Provision API hub.

While you can use API hub by making direct REST over HTTP requests, we now provide client libraries for several popular languages. See API hub client libraries.

We added support for Cloud audit logging.

The List APIs for specifications, dependencies, and external APIs have been enhanced to return a complete response, including user-defined attributes.

Significant user interface improvements were made, such as standardization of cards on the API details page, unlinking of deployments, various performance fixes, and more.

If you have CMEK org policy constraints on your Google Cloud project, Apigee will enforce compliance with those constraints and guide you in choosing valid configuration, and prevent you from using Apigee features that are not CMEK-compliant.

The following documents are new and explain how to use CMEK with Apigee:

• Using organization policy constraints in Apigee
• Best practices for Apigee CMEK

The following documents have been updated with the relevant CMEK information:

• Introduction to CMEK
• Compare evaluation and paid organizations in Apigee
• Provisioning an eval org
• Provision a paid org without VPC peering
• About the Apigee encryption keys
• Compatible services
• Use Cloud KMS keys in Google Cloud