What Is API Monetization?

November 11, 2022

Technology & Products

Imagine that you have developed a service that collects discount information from all supermarkets in your city. If some other developers want to access this data, they can use the API to get the information they want, and we can charge a fee upon their API usage. Converting data into money through APIs is called API monetization. API monetization is an ideal way to make your services profitable.

API Monetization

Once a company adopts the business model of API monetization, the next thing to consider is the pricing model. Most API providers use one of three standard pricing models: bundled access, pay-per-call, and pay-per-month. In all of these pricing models, API providers need to count the number of API calls of each user. Therefore, identifying the user's identity is critical because the user may be throttled if the number of API calls exceeds the service package. However, merely identifying the individual user is not enough. More often than not, it is corporate users who purchase services. In this case, corporate employees share the same billing account when associated with their organization. So, it is equally important to identify the organization to which the user belongs.

Applications of API Monetization

Applications of API monetization are everywhere. SMS (Short Message/Messaging Service) verification code is a typical example of API monetization. Cloud vendors also use this model for services like message queues, text recognition, etc. Security vendors use it for WAF (Web Application Firewall) and content filtering services. This monetization model is so successful that we desperately need a proper technology stack to support it. That is, we need something to manage our APIs delicately.

When managing APIs, we need to administer who can publish, what to publish, and where to publish, ensuring that the APIs conform to organizational standards such as URL patterns, naming conventions, and access control rules. Moreover, each department needs to be able to independently manage its own APIs, including API updates or design improvements, executing traffic control, rate-limiting, and security strategies. We must also observe usage, performance, and other metrics in real-time.

API gateway is the tool introduced to manage the APIs. API gateways can solve various problems in handling the API. As a central proxy, the API gateway routes all incoming client requests to the intended destination (backend service), making your API more secure and easier to manage. Most API gateways also support various authorization and authentication protocols so that users can perform complex permission control and many other functions, such as rate-limiting.

There are many popular open-source projects for API gateways, most notably Apache APISIX and its alternative enterprise SaaS solution, API7 Cloud.

APISIX's API Monetization Practice

Apache APISIX supports these essential functions and integrates with various observability platforms (Prometheus, OpenTelemetry, Apache Skywalking, etc.). These integrated plugins enhanced Apache APISIX’s capability to analyze APIs, thus realizing incredibly comprehensive observability. What’s more, for the problem of user identification, Apache APISIX proposed a concept of “consumer”.

APISIX consumer

Different consumers correspond to different users. Each consumer binds with its plugins and upstream configurations. Consumers are helpful when you have different consumers requesting the same API, and you need to execute different plugin and upstream configurations. In this case, the authentication system will identify based on the consumer to configure different rules, making it convenient for managing users.

APISIX consumer

But just supporting consumers is not enough. For enterprise users, multiple consumers need to share the same consumption quota, and if we manage the configuration of each consumer separately, the operation will be too cumbersome. Therefore, APISIX proposed another concept of “consumer group”. Multiple consumers can share the same set of configurations and the same consumption quota.

APISIX consumer group

After understanding APISIX’s practice in API monetization, let's look at a specific application.

  • Configure the rate-limiting function for the enterprise, and users of the enterprise share the same configuration
# create consumer group
curl http://127.0.0.1:9180/apisix/admin/consumer_groups/company_a -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
    "plugins": {
        "limit-count": {
            "count": 200,
            "time_window": 60,
            "rejected_code": 503,
            "group": "$consumer_group_id"
        }
    }
}'

# create consumer 1
curl http://127.0.0.1:9180/apisix/admin/consumers -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
    "username": "jack",
    "plugins": {
        "key-auth": {
            "key": "auth-one"
        }
    },
    "group_id": "company_a"
}'

# create consumer 2
curl http://127.0.0.1:9180/apisix/admin/consumers -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
    "username": "johnson",
    "plugins": {
        "key-auth": {
            "key": "auth-two"
        }
    },
    "group_id": "company_a"
}'

# create route
curl http://127.0.0.1:9180/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
    "uri": "/get",
    "plugins": {
        "key-auth": {}
    },
    "upstream": {
        "type": "roundrobin",
        "nodes": {
            "httpbin.org": 1
        }
    }
}'

# hit the route
curl -i http://127.0.0.1:9180/get -H 'apikey: auth-one'
...
X-RateLimit-Limit: 200
X-RateLimit-Remaining: 199
...

curl -i http://127.0.0.1:9180/get -H 'apikey: auth-two'
...
X-RateLimit-Limit: 200
X-RateLimit-Remaining: 198
...

# change count value to 2 requests per minute
curl http://127.0.0.1:9180/apisix/admin/consumer_groups/company_a -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
    "plugins": {
        "limit-count": {
            "count": 2,
            "time_window": 60,
            "rejected_code": 503,
            "group": "$consumer_group_id"
        }
    }
}'

# hit the route
curl -i http://127.0.0.1:9180/get -H 'apikey: auth-two'
...
X-RateLimit-Limit: 2
X-RateLimit-Remaining: 1
...


curl -i http://127.0.0.1:9180/get -H 'apikey: auth-one'
...
X-RateLimit-Limit: 2
X-RateLimit-Remaining: 0
...


# no count, HTTP 503
curl -i http://127.0.0.1:9180/get -H 'apikey: auth-one'
HTTP/1.1 503 Service Temporarily Unavailable


# after a minute, count recover
curl -i http://127.0.0.1:9180/get -H 'apikey: auth-one'
...
X-RateLimit-Limit: 2
X-RateLimit-Remaining: 1
...


# create another route
curl http://127.0.0.1:9180/apisix/admin/routes/2 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
    "uri": "/anything",
    "plugins": {
        "key-auth": {}
    },
    "upstream": {
        "type": "roundrobin",
        "nodes": {
            "httpbin.org": 1
        }
    }
}'

# you could see both routes share the same count
curl -i http://127.0.0.1:9180/get -H 'apikey: auth-one'
...
X-RateLimit-Limit: 2
X-RateLimit-Remaining: 1
...


curl -i http://127.0.0.1:9180/anything -H 'apikey: auth-one'
HTTP/1.1 503 Service Temporarily Unavailable
...

Summary

To convert services and data into revenue through API monetization, enterprises need to introduce professional API management tools: API gateway. The most popular API gateway is Apache APISIX, which has rich practices in API monetization. APISIX creates concepts such as consumer and consumer groups to facilitate the management of APIs greatly and enables enterprises to monetize APIs more smoothly.

Topics:
API GatewayAPI monetizationApache APISIX