I'm looking to do something very simple, but I'm having trouble figuring out what the Apigee "idiomatic" way is for carrying it out.

Suppose I'm protecting a back-end API which has resources such as /api/v1/products and /api/v1/users. They all share the same base path /api/v1. And suppose the only thing I'm trying to do is pass through requests, subject to access control policies. Let's also assume that I don't need different access controls for the different resources. I also want to return a 404 if a request comes in for an endpoint that I haven't explicitly specified.

So do I want to create separate endpoints for /api/v1/products and /api/v1/users? That seems verbose.

Or do I create one endpoint for /api/v1 and put conditional flows underneath for suffixes matching /products and /users, and then a fall-through that matches everything else with a RaiseFault policy? That seems like the right thing, except that I'm not really doing anything inside the conditional flows. They're only there so that I can explicitly specify the resources to which I want to allow access.

Or do I create one endpoint for /api/v1 and put in separate routing rules for suffixes matching /products and /users? And if it's that, how do I configure the fall-through 404 case?