I'm testing API product enforcement behavior on API keys, and I'm getting weird results. Just trying to understand what *should* work and what shouldn't. (I'd like to improve the docs.) I've already seen https://community.apigee.com/questions/13494/creating-api-product-on-pattern-matching.html, which is unresolved, but I wanted to start a different thread for the behavior I'm seeing.

In my API call, I've got this proxy prefix: /foo/bar/hello/iloveapis (and I'm attaching my Verify API Key policy on the PreFlow).

When I don't include my API key, I get a 401 on any call to the proxy, as expected.

On my API product, I've included my helloworld proxy, and I'm trying out different resource paths.

For example, /foo/** set on the product gives me a 200 all the time when I do a GET on /foo/bar/hello/iloveapis?apikey=[key] in cURL or Trace.

Then, when I change the resource to allow only calls to /foo/monkey/**, I get a mix between 401s and 200s!

It also appears that mixing /* with /** sometimes works and sometimes doesn't:

Gives a mix between 401 and 200: /*/bar/*/iloveapis

Seems to mostly give 200: /foo/bar/**

Gives a mix between 401 and 200: /*/bar/**

Just trying to figure out which wildcard combos are supported and which aren't, and why random paths that I never use sometimes allow 200s. (Some caching/refresh cycle that needs to happen on the MPs?)

In the docs, we imply that you can use /, /*, and /**, and we don't note any particular restrictions on combinations.

Thanks for any insights.