In APIM, we can choose how we control access to our API’s.
We can keep things as is, so no subscription is needed at all.
We can restrict all API calls, so before an api can be used, developer must go to our api portal and subscribe to it.
Something in between. We can keep some apis open and some with subscription.
Subscription process can be automated so that when a user requests the subscription, the subscription key is automatically granted to him/her. Or it can be controlled so that the api management admin have to manually approve the user.
Also, stronger method of authentication can be done if so desired. Like client certificates, OAuth 2.0, IP whitelistening.