Enforcing monetization limits in API proxies

This page applies to Apigee and Apigee hybrid.

View Apigee Edge documentation.

Enforce monetization limits by attaching policies to API proxies associated with a monetized API product as described in the following sections.

Adding an authentication policy

Apigee monetization uses the VerifyAPIKey or VerifyAccessToken policy to determine if an incoming request is monetizable by checking for the active published rate plan.

Attach the VerifyAPIKey policy or VerifyAccessToken policy to an API proxy in one of the following ways:

  • When creating an API proxy using the Create proxy wizard, select API Key or OAuth 2.0 in the Security: Authorization section on the Common policies page. For example:

    Common policies page of Create proxy wizard with API Key selected

  • When developing an API proxy, attach the VerifyAPIKey policy or VerifyAccessToken policy to the request flow as the first policy in the API proxy PreFlow. For example:

    Developer tab in API proxy editor showing the VerifyAPIKey policy attached to the PreFlow

For more information, see:

Enforcing developer subscriptions to API products

Attach the MonetizationLimitsCheck policy to API proxies to enforce developer subscriptions to the API product. Specifically, the policy is triggered if the app developer accessing the API has not purchased a subscription to the associated API product. In this case, the MonetizationLimitsCheck policy raises a fault and blocks the API call.

If no monetization rate plan exists for the API product fetched during the proxy call execution, the product is deemed non-monetized, the MonetizationLimitsCheck policy does not fetch any further data, and the policy has no effect.

When you attach the MonetizationLimitsCheck policy to an API proxy, the mint.limitscheck.* and mint.subscription_* flow variables are populated, as described in Debugging the MonetizationLimitsCheck policy and the mint flow variable reference.

Attach the MonetizationLimitsCheck policy to an API proxy in one of the following ways:

  • When creating an API proxy using the Create proxy wizard, select Enforce monetization limits on the Common policies page, as shown in the following figure.

    Common policies page of Create proxy wizard with Enforce Limits Check selected

  • When developing an API proxy, attach the MonetizationLimitsCheckPolicy to the request flow in the API proxy PreFlow after the VerifyAPIKey or VerifyAccessToken policy, as shown in the following figure.

    Developer tab in API proxy editor showing the MonetizationLimitsCheck policy attached to the PreFlow after the VerifyAPI policy

For more information, see:

Enforcing monetization quotas in API proxies

A quota defines the number of requests allowed for an API product over a given time period. To enforce quotas for monetization, it is recommended that you set the quota value when creating an API product.

Defining a quota value for an API product does not automatically enforce restrictions on the number of calls that can be made through the API product. You must also add Quota policies to the API proxies that are referenced by the API product to ensure the quota value defined at the API product level is enforced.

Attach the Quota policy to an API proxy in one of the following ways:

  • When creating an API proxy using the Create proxy wizard, select Impose quotas per app in the Quotas section on the Common policies page, as shown in the following figure.

    Common policies page of Create proxy wizard with Impose quotas per app selected

  • When developing an API proxy, attach the Quota policy to the request flow in the API proxy PreFlow after the VerifyAPIKey or VerifyAccessToken policy, as shown in the following figure.

    Developer tab in API proxy editor showing the Quota policies attached to the PreFlow

Edit the Quota policy to enable the <UseQuotaConfigInAPIProduct> element to use the quota configuration defined at the API product level.

For example:

 <Quota continueOnError="false" enabled="true" name="impose-quota"> <DisplayName>Impose Quota</DisplayName> <UseQuotaConfigInAPIProduct stepName="verify-api-key"> <DefaultConfig> <Allow>10000</Allow> <Interval>1</Interval> <TimeUnit>week</TimeUnit> </DefaultConfig> </UseQuotaConfigInAPIProduct> <Distributed>true</Distributed> <Synchronous>true</Synchronous> <StartTime>2021-01-01 12:00:00</StartTime> </Quota>

When you attach the Quota policy to an API proxy, the ratelimit.* flow variables are populated, as described in Debugging the Quota policy and the Quota policy flow variables reference.

For more information, see: