Suppose I have a developer portal, and it allows developers to register, signin, view the catalog of APIs available, and then "subscribe" or get credentials for "sandbox" versions of various APIs.
The developer builds and tests an app, and then requests access to the production system.
What's the best way to facilitate that?
- "Promote" the existing credentials that work in the sandbox, to also work in production?
- ask the developer to request new credentials for a different API Product? (Maybe the production API product requires manual approval)
- something else?
I've seen a variety of approaches to this problem and it depends on the size of your API Consumer / Developer community and the balance required for self service vs some lightweight admin.
First point I would make is to strongly recommend against using the same credentials for the Sandbox and Production Apps. You don't have any real visibility of the protocols put in place at the consumer end around how they administer credentials. Enforcing some separation yourself is good basic security hygiene.
So in terms of promotion models here's what Ive seen
There are several Pros and Cons of the above approaches and it really depends on your API Consumer community and how you're interacting with them. Some thoughts to consider
See also https://community.apigee.com/articles/23210/coordinating-api-and-app-development-cycles.html for more thoughts.