Best Practices for Apigee Product and App Management Across Test and Prod Environments

Google Cloud Apigee
, , ,
1

Hi everyone,

As part of our Apigee go-live strategy, we are preparing to promote our API proxies from test to production, and I’d like to validate the best practices around managing Products and Developer Apps across environments.

Here’s the high-level flow we currently follow:

Environment-specific deployment strategy:
KVMs: Created per environment (e.g., kvm-prod-auth, kvm-test-auth) to store environment-specific values (like secret manager names or flags).
Secret Manager: Used to store credentials securely; reused across environments if values are the same, or duplicated with production-specific names if credentials differ.
Target Servers: Created per environment pointing to the appropriate backend URLs.

API Proxy & Product deployment:
• We deploy proxies to each environment independently (Test, Prod).
• For each proxy, we create an API Product that exposes it.

Main questions regarding Products & Apps:

This is the part I need the most community input on:

  1. Should we create new API Products per environment, e.g., product-test-case-creation, product-prod-case-creation, or should we use a single product (e.g., product-case-creation) exposed across both environments?
  2. For our consumers (external/internal developers):
    Should we create new Developer Apps for production (e.g., my-app-test, my-app-prod)?
    • Or can we reuse the same app that was used for test, and simply point it to the production product?
    • How do you usually handle OAuth client credentials — are new credentials (client ID/secret) generated per environment, or reused across environments?
  3. What’s the security and operational best practice here to avoid accidental calls to prod from test apps or vice versa?

What we want to ensure:
• Clean separation between test and prod traffic.
• Controlled access to production endpoints.
• Minimal confusion for developers using the APIs.
• Easy revocation or rotation of client credentials per environment.

Any recommendations, real-world examples, or official guidance from your experience would be greatly appreciated. Thank you!

2

The first best practice would be to have separate production and non production Apigee organizations.

This will keep all your production and test consumers (aka developers) separate.. as well as your apps. This also inherently means each organization would have their own set of products that map to the appropriate environments.

If you think about it, if you have a single organization, and a single API product that means your test client can access your production API which you probably don’t want. And similar for your developer apps, you’ll want separate apps for production.

3

@dknezic

In case there is no other organization and we are depending on creating separate environments within the same project.

What the best practice for products should be?

4

You can limit an API Product by environment.

dchiesa1_0-1747503433350.png
dchiesa1_0-1747503433350.png1040×1061 71.9 KB