Enforce monetization limits in API proxies

This page applies to Apigee and Apigee hybrid.

View Apigee Edge documentation.

This page describes how to enforce monetization limits by attaching policies to API proxies in a monetized API product.

Add an authentication policy

Apigee monetization uses the VerifyAPIKey policy or the VerifyAccessToken operation of the OAuth2 policy to determine if an incoming request is monetizable by checking for the active published rate plan.

Attach the policy to the API proxy using the Apigee UI or the API. See Editing an API proxy for information on editing a proxy.

See also:

• Attaching a policy to a flow
• Verifying access tokens
• Monitoring and debugging the authentication policy using Debug

Enforce developer subscriptions on API products

Attach the MonetizationLimitsCheck policy to API proxies to enforce developer subscriptions on the API product:

• If no monetization rate plan exists for the API product fetched during the proxy call execution, the product is deemed non-monetized, the MonetizationLimitsCheck policy does not fetch any further data, and the policy has no effect.
• If a rate plan is found but a subscription is not found for the API developer, the MonetizationLimitsCheck policy raises a fault and blocks the API call.

When you attach the MonetizationLimitsCheck policy to an API proxy, the mint.limitscheck.* and mint.subscription_* flow variables are populated, as described in Debugging the MonetizationLimitsCheck policy and the mint flow variable reference.

For more information, see:

• Creating an API proxy
• Editing an API proxy
• Attaching a policy to a flow
• Debugging the MonetizationLimitsCheck policy using Debug
• MonetizationLimitsCheck policy

Enforce monetization quotas in API proxies

A quota defines the number of requests allowed for an API product over a given time period. To enforce quotas for monetization, it is recommended that you set the quota value when creating an API product.

Defining a quota value for an API product does not automatically enforce restrictions on the number of calls that can be made through the API product. You must also add Quota policies to the API proxies that are referenced by the API product to ensure the quota value defined at the API product-level is enforced.

Edit the Quota policy to enable the <UseQuotaConfigInAPIProduct> element to use the quota configuration defined at the API product-level.

For example:

<Quota continueOnError="false" enabled="true" name="impose-quota">
    <DisplayName>Impose Quota</DisplayName>
    <UseQuotaConfigInAPIProduct stepName="verify-api-key">
        <DefaultConfig>
            <Allow>10000</Allow>
            <Interval>1</Interval>
            <TimeUnit>week</TimeUnit>
        </DefaultConfig>
    </UseQuotaConfigInAPIProduct>
    <Distributed>true</Distributed>
    <Synchronous>true</Synchronous>
    <StartTime>2021-01-01 12:00:00</StartTime>
</Quota>

When you attach the Quota policy to an API proxy, the ratelimit.* flow variables are populated, as described in Debugging the Quota policy and the Quota policy flow variables reference.

For more information, see:

• Editing an API proxy
• Attaching a policy to a flow
• Debugging the Quota policy using Debug
• Quota policy