Enforce monetization limits in API proxies
This pageapplies toApigee andApigee hybrid.
View Apigee Edge documentation.
This page describes how to enforce monetization limits by attaching policies to API proxies in a monetized API product.
Add an authentication policy
Apigee monetization uses theVerifyAPIKey policy or the VerifyAccessToken operation of the OAuth2 policy to determine if an incoming request is monetizable by checking for the active published rate plan.
Attach the policy to the API proxy using the Apigee UI or the API. SeeEditing an API proxy for information on editing a proxy.
See also:
- Attaching a policy to a flow
- Verifying access tokens
- Monitoring and debugging the authentication policy using Debug
Enforce developer subscriptions on API products
Attach the MonetizationLimitsCheck policy to API proxies to enforce developer subscriptions on the API product:
- If no monetization rate plan exists for the API product fetched during the proxy call execution, the product is deemed non-monetized, the MonetizationLimitsCheck policy does not fetch any further data, and the policy has no effect.
- If a rate plan is found but a subscription is not found for the API developer, the MonetizationLimitsCheck policy raises a fault and blocks the API call.
When you attach the MonetizationLimitsCheck policy to an API proxy, themint.limitscheck.* andmint.subscription_* flow variables are populated, as described inDebugging the MonetizationLimitsCheck policy and themint flow variable reference.
For more information, see:
- Creating an API proxy
- Editing an API proxy
- Attaching a policy to a flow
- Debugging the MonetizationLimitsCheck policy using Debug
- MonetizationLimitsCheck policy
Enforce monetization quotas in API proxies
Note: If you add a quota after the API product has been in use, the quota calculation starts from the next monetized transaction.A quota defines the number of requests allowed for an API product over a given time period. To enforce quotas for monetization, it is recommended that you set the quota value whencreating an API product.
Defining a quota value for an API product does not automatically enforce restrictions on the number of calls that can be made through the API product. You must also add Quota policies to the API proxies that are referenced by the API product to ensure the quota value defined at the API product-level is enforced.
Edit the Quota policy to enable the<UseQuotaConfigInAPIProduct> element to use the quota configuration defined at the API product-level.
For example:
<Quota continueOnError="false" enabled="true" name="impose-quota"> <DisplayName>Impose Quota</DisplayName><UseQuotaConfigInAPIProduct stepName="verify-api-key"> <DefaultConfig> <Allow>10000</Allow> <Interval>1</Interval> <TimeUnit>week</TimeUnit> </DefaultConfig> </UseQuotaConfigInAPIProduct> <Distributed>true</Distributed> <Synchronous>true</Synchronous> <StartTime>2021-01-01 12:00:00</StartTime></Quota>
- You can define the default configuration
<DefaultConfig>to use if the quota configuration is not defined in the API product, but the quota configuration defined at the API product-level takes precedence. - When you add the
<UseQuotaConfigInAPIProduct>element to the Quota policy, then Apigee ignores any<Allow>,<Interval>, and<TimeUnit>child elements of<Quota>.
When you attach the Quota policy to an API proxy, theratelimit.* flow variables are populated, as described inDebugging the Quota policy and the Quota policyflow variables reference.
For more information, see:
- Editing an API proxy
- Attaching a policy to a flow
- Debugging the Quota policy using Debug
- Quota policy
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-12-17 UTC.