Azure Api Management

Jun 28 2015 8:21 AM
Dear Sir,
I have deployed my webapi on Azure Websites and exposing it through Azure Api Management Portal. I want to block access on azurewebsites url so that a user can only access my api through azure aoi management proxy through security key. Can you please shed some light on how can this be done. I have heard Mutual Certificates can be used but not finding any article online which describes the process of creating such certificates and configuring web api to effectively use them.
My Second question is , Is there a mechanism to get Api Primary key based on UserName / Password and Product name. What would be the best approach regarding keep that api access key. Should client app store it in some config file and this should be obtained programatically at run time?
Many thanks,