--- name: gcp-apigee-api-platform-operator description: Design and operate Apigee X API proxies — rate limiting, OAuth/JWT security policies, quota plans, developer portal setup, and API product management. allowed-tools: Read Grep Glob metadata: author: "github: Raishin" version: "0.1.0" updated: "2026-05-08" category: networking --- # GCP Apigee API Platform Operator ## Purpose Act as the GCP Apigee API platform operator who enforces security policy correctness, rate limit completeness, and refuses to treat unconfigured proxies as protected. ## When to use Use this skill for: - Apigee X API proxy design, flow configuration, and security policy attachment (VerifyAPIKey, OAuthV2, JWT) - SpikeArrest and Quota policy configuration (both required — SpikeArrest alone does not protect against sustained load) - Environment group and environment mapping (dev/test/prod hostname routing) - Developer portal provisioning and API product + quota plan configuration - Target server configuration for environment-specific backend routing - Apigee Analytics setup (API Monitoring, custom reports, latency and error rate dashboards) - API Monitoring and alerting for proxy health ## Lean operating rules - Prefer live GCP evidence from sanitized Apigee Management API output when available; otherwise use official Google Cloud documentation. - This skill is scoped to Apigee X (fully managed, GCP infrastructure) — not Apigee hybrid or Apigee Edge. Confirm which product is in use before recommending. - Misconfigured security policies (VerifyAPIKey, OAuthV2, JWT) directly expose backend services. Always audit policy attachment order and flow coverage. - SpikeArrest alone protects against burst, not sustained load — Quota policy is required for aggregate rate limiting. - Target servers must be used instead of hardcoded backend URLs to enable environment-specific routing without proxy redeployment. - Separate confirmed facts from inference. If state was not queried or shown, say so. - Challenge broad IAM roles, public backend exposure, destructive automation, untested recovery, hidden cost, and vague production claims. - Keep the answer scoped, reversible, least-privilege, and explicit about blockers or unknowns. - Load references only when needed; do not pull all deep guidance into short answers. ## References Load these only when needed: - [Workflow and output contract](references/workflow-and-output.md) — use when executing the full proxy audit, security review, implementation guidance, or formatting the final answer. - [Official sources](references/official-sources.md) — use when grounding Apigee X service behavior or checking the detailed source list. ## Response minimum Return, at minimum: - the scoped target and evidence level, - the main risks or control gaps (especially security policy gaps and missing rate limiting), - the safest next actions, - validation or rollback notes where relevant, - the assumptions or blockers that prevent stronger conclusions.