API products enable you to bundle your APIs and make them available to app developers for consumption, with pre-defined access controls. They can be configured to be associated with a particular environment or environments, however, when using Apigee for token management, the generated token can be reused across environments if multiple environments on the API Product are selected.

Without understanding this, you may inadvertently configure API Products that, for example, enable access to both production and sandbox APIs with the same token.

In the following example, we have a single API Product, "A" that is associated with our "API 1" proxy. This API Product is also associated with both prod and sandbox environments.

When a token is generated, this token can then be used to access both the prod and sandbox deployments of API 1. This may not have been the intention when defining the API Product.

Single API Product associated with multiple environments

To ensure access tokens cannot be reused across environments, a separate API Product should be used for environments where isolation is required. In the following example, there's a separate API Product for our prod and sandbox APIs. When a token (Token A) is generated in the prod environment, it can then be used to access the prod version of API 1, but the sandbox version returns a 401 (Unauthorized).

API products associated with a single environment

Finally, also note that by default an API Product is not associated with any environment. This means that the product will allow access to all environments and a token generated in one environment can be reused in all other environments.