Thanks for the reply. let me add some more info to this conversation.

added my proxy to a new product and an app. Hit the endpoint with the client id. Worked successfully as expected.

I have removed the product from the app and tried hitting the same endpoint with/without the same client id.

Able to hit the endpoint successfully with the same client id even after removing the product. The expecatation is to get an error since I have removed the product from the app or the proxy accepts all client id in the org. is it a right expectation. 

@playarun93 - can you pls confirm if the VerifyAPIKey policy is executing? Can you check the calls via debug and confirm its getting executed?

I do see the VerifyAPIKey policy is executing

Able to hit the endpoint successfully with the same client id even after removing the product.

---

Two things:

1. If you have a client ID that has no products at all, it will be good for ALL products. It's like a "master" client id.  If you don't want that behavior, assign at least one product to a client id. 
2. There's a cache for API key status in the runtime, it will live for about 180s. Any change that you make to a key, or an app, or a product, will not be seen by the runtime for up to 180s. Wait a bit and retry. I expect that you will see that the VerifyAPIKey policy will reject the API key if you wait long enough. (Assuming you have observed item #1 above)