We can check for the session details before updating access rights

gateway/api.go

@@ -263,11 +263,8 @@ func (gw *Gateway) applyPoliciesAndSave(keyName string, session *user.SessionSta
 
 	// calculate lifetime considering access rights
 	lifetime := gw.ApplyLifetime(session, spec)
-	if err := gw.GlobalSessionManager.UpdateSession(keyName, session, lifetime, isHashed); err != nil {
-		return err
-	}
 
-	return nil
+	return gw.GlobalSessionManager.UpdateSession(keyName, session, lifetime, isHashed)
 }
 
 // GetApiSpecsFromAccessRights from the session.AccessRights returns the collection of api specs
@@ -324,22 +321,28 @@ func (gw *Gateway) doAddOrUpdate(keyName string, newSession *user.SessionState,
 	}
 
 	if len(newSession.AccessRights) > 0 {
+		_, found := gw.GlobalSessionManager.SessionDetail(newSession.OrgID, keyName, isHashed)
+		if !found {
+			log.WithFields(logrus.Fields{
+				"prefix":      "api",
+				"key":         keyName,
+				"org_id":      newSession.OrgID,
+				"api_id":      apiId,
+				"user_id":     "system",
+				"user_ip":     "--",
+				"path":        "--",
+				"server_name": "system",
+			}).Warn("API inactive or doesn't exist.")
+
+			return errors.New("API must be active to add keys")
+		}
+
 		// reset API-level limit to empty APILimit if any has a zero-value
 		resetAPILimits(newSession.AccessRights)
 		// We have a specific list of access rules, only add / update those
 		for apiId := range newSession.AccessRights {
 			apiSpec := gw.getApiSpec(apiId)
 			if apiSpec == nil {
-				log.WithFields(logrus.Fields{
-					"prefix":      "api",
-					"key":         keyName,
-					"org_id":      newSession.OrgID,
-					"api_id":      apiId,
-					"user_id":     "system",
-					"user_ip":     "--",
-					"path":        "--",
-					"server_name": "system",
-				}).Warn("API inactive or doesn't exist.")
 
 				apiSpec = &APISpec{
 					APIDefinition: &apidef.APIDefinition{