API Portal offers two distinct plan types with which to access and constrain the usage of specific APIs.
Account Plansto constrain the cumulative API usage of all the organizations under it.
API access is no longer controlled by Account Plans.
The visibility of APIs is no longer managed on the Account plan level. Administrators manage the visibility of APIs on an Organization level. For more information, see Create and Set Permissions for APIs. For more information about API visibility and permissions, see Create and Set Permissions for APIs.
API Plansare a more granular feature that controls how individual APIs can be consumed by developers and applications within an organization. The API Plan comprises rate limit and/or quota information, along with the public or private APIs that these controls apply to. You can also choose which organizations an API Plan applies to, allowing you to set different access tiers for different organizations for the same APIs.
Used concurrently, Account Plans and API Plans enable you to manage visibility, consumption, and tiered quota on your APIs.
In this topic:
How Plans Work
Account Plans and API Plans govern the following parameters:
- Visibility and consumption: Which Private APIs are visible to which organizations, through configuring Account Plans (indirect assignment) or using API Details (direct assignment).
- Quota and rate limit: The limit that an organization can consume both Private and Public APIs (through Account Plans), and the limit that Public and Private APIs can be consumed by each application (through API Plans).
The following diagram illustrates the relationship between Account Plans, API Plans, organizations (and their applications), and APIs.
Account Plans vs API Plans
The following table highlights the similarities and differences between Account Plans and API Plans:
Can be applied to different organizations
Need to be linked to organizations to make the plan selectable by applications and developers within those organizations.
Restrict an organization to follow one Account Plan only
Enable an organization to use different API Plans for different APIs and applications
Account plans no longer impact visibility
Can be linked to both Private and Public APIs to constrain their usage, but do not impact their visibility
Constrain the cumulative usage limit for the organization under the Account Plan
Constrain the consumption limit of individual APIs by applications and developers
Drive the overall access and quota of your organizations
Allow you to manage access tiers for optimum consumption by organizations within your Account Plan
Roles and Permissions
Can be added and edited by Admins and API Owners
Can be added and edited by Admins and API Owners. OrgAdmin and Developer can select API Plans for individual applications, or propose selections to be approved by Admins or API Owners.
For more information on Account Plan and API Plan permissions, see Get Started - User Types, Roles and Permissions.
How Quotas and Rate Limits Work
Account Plans and API Plans can use different quotas and rate limits.
Quota per day or month
Restricts the number of times that an API can be queried in a day or month.
- In Account Plans, a quota limit of 10000 per day ensures that all activities of an organization under that Account Plan do not exceed 10000 hits per day.
- In API Plans, a quota limit of 10000 per day ensures that application hits for the API assigned to that API Plan do not exceed 10000 hits per day.
Rate limit per second
Restricts the number of times that an API can be queried in a second.
- In Account Plans, a rate limit of 100 per second ensures that all activities of an organization under that Account Plan do not query more than 100 times per second.
- In API Plans, a rate limit of 100 per second ensures that application queries for the API assigned to that API Plan do not exceed 100 times per second.
Account Plan limits are always superior to the API Plans limits and are triggered first. The following diagram is an example:
- Three Private APIs are added to the Account Plan, which has one Organization under it. These APIs, as well as the Public API, are all visible to all Organizations under the Account Plan. The total quota of 10000 hits/day and rate limit of 100 per second apply to all activities within this Organization.
- APIs Lettuce is assigned the Silver API Plan. APIs Chicken is assigned the Bronze API Plan. APIs Carrot and Spoon are assigned to both Silver and Bronze plans.APIs need to be assigned to API Plans, or else consumption for that API will be unlimited and can use up your Account Plan bandwidth or quota.
- Both Silver and Bronze API Plans are linked to Organization Soup.API Plans need to be linked to Organizations, or else the plans will not be selectable for public and private APIs consumed by the Organization's applications.
- On the Application level, Vegetable Soup is configured to consume API Lettuce, API Carrot, and API Spoon.
- Quota for API Lettuce will be 1000 hits/day and 100/second (Silver API Plan).
- You can choose the quota for API Carrot and API Spoon between Silver and Bronze Plans.
- On the Application level, Chicken Soup is configured to consume API Chicken and API Spoon.
- Quota for API Chicken will be 500 hits/day and 50/second (Bronze Plan).
- You can choose the quota for API Spoon between Silver and Bronze Plans.
Following this logic, administrators can give each API a different quota and rate limit for different Applications.
Getting Started with Plans
The recommended workflow is as follows:
- If you do not have Account Plans already configured from a previous deployment, see Manage Account Plans.
- If you are already using Account Plans and want to incorporate API plans into your business logic, proceed to Manage API Plans.
The following best practices are recommended if you have existing Account Plans:
- Check and adjust your current Account Plan limits. The highest common denominator is recommended when assigning quotas and rate limits for an Account Plan.
- If you haven't already, enable request workflows. This enables the Admin or API Owner to accept or reject requests made by OrgAdmins and Developers to edit applications and select API Plans. If request workflow is disabled, OrgAdmins and Developers can perform these tasks without approval.
- Revisit your existing APIs (both private and public) and ensure they are configured and/or attached to an API Plan. Non-configured APIs have no consumption limit and can use up your Account Plan quota.
Limit API Use
Policy templates that help organizations manage API usage.
- Rate Limit PolicyRestricts the number of times that an API can be queried in a second. For example, a rate limit of 1 prevents all the applications that use that API from accessing it more than once per second.
- Quota By Month PolicyRestricts the number of times that an API can be queried in a month. For example, a quota limit of 1 ensures all the applications that use that API can only access it once per month.
- Quota By Day PolicyRestricts the number of times that an API can be queried in a day. For example, a quota limit of 1 ensures that all the applications that use that API can only access it once per day.
follow these steps:
- Log in to the Portal as a Publisher, or as an Organization Admin or Developer with API publishing capabilities.
- Add an API, or edit an existing API.
- OnProxy Configurationtab, select the policy from the drop-down list.
- Test the API limits that you specified.
Restricting API Usage by Application
You can use the Rate Limit, Quota by Month, and Quota by Day policies with account plan policies to restrict API usage for a specific application. For example, you can set the API Rate Limit to 10 per second, and the Account Plan Rate Limit to 1 per second. The application using the API
andthe account plan can only access the API once per second.
Changing Quota and Rate Limits
The following example shows the impact of changing a quota or rate limit, based on the day of the change.
A customer sets the Quota by Day to 100 for an API. When that API is consumed 100 times, the API is no longer accessible. The customer then requests that the quota is increased to 200 on the
same day. The API can be consumed an additional 100 times on the current day because the new daily limit has not been reached yet.
If the customer requests the quota to be changed to 200 on the
next day, the API can be consumed 200 times the next day.
The scenario above applies for Quota by Day and Quota by Month.