Methods to monetize an API on AWS?

Did you develop an API and wish to promote entry? Right here is how I mixed Amazon’s API Gateway (REST APIs) and FastSpring, a cost and subscription platform, to monetize our API for malware scanning. Fortunately, you’ll be able to apply the sample to any REST API.

The issue: funds, subscription, and entry management

I’m constructing a WordPress plugin to guard blogs from malware. Each time an editor uploads a brand new attachment, the plugin sends the file to our API, which scans it for malware. The infrastructure consists of an Utility Load Balancer (ALB) and EC2 situations operating the malware engine. So, how can we cost prospects for accessing the API?

Let’s break down the issue into necessities.

• Handle a subscription (create, pause, cancel, …)
• Deal with funds (completely different cost strategies, worldwide, …)
• Management entry to API (API key, throttling, …)

The choices: API marketplaces and cost and subscription platforms

My first thought was to make use of an API market. The AWS Market helps promoting API Gateway APIs. We’re already promoting merchandise by means of the AWS Market and are fairly proud of the answer. Nonetheless, the AWS Market works greatest if potential prospects are already AWS prospects. As I’m aiming to promote API entry to WordPress customers, the hurdle of making an AWS account appears too excessive.

What about extra generic API marketplaces? There are just a few suppliers on the market. I had a deeper look into Fast API. From a technical standpoint, the answer seems stable. Nonetheless, Fast API targets builders who wish to combine an API into their utility. I couldn’t discover a technique to combine Fast API into the checkout course of for the customers of our WordPress plugin. In addition to that, I concluded that Fast API is within the early phases of accumulating funds and deducting taxes worldwide.

To have full management over the checkout course of, I seemed into generic cost and subscription platforms. So, I seemed into Stripe and some different options. My ache level with all these options is tax compliance. It’s fairly tough to adjust to all of the tax legal guidelines worldwide. Due to this fact, I ended up with a supplier we’ve got used for years: FastSpring. From a technical and feel and appear perspective, FastSpring is getting a bit lengthy within the tooth. However FastSpring acts as a reseller. Due to this fact, FastSpring is chargeable for tax deductions with prospects from all around the world.

I made a decision to make use of FastSpring to deal with funds and subscriptions. Subsequent, I seemed for the best doable implementation on AWS.

The answer: API Gateway (REST APIs), utilization plans, API keys, and FastSpring

In spite of everything, I got here up with the next resolution to monetize a REST API.

1. The client goes to the storefront offered by FastSpring to create a subscription. FastSpring generates a license key.
2. FastSpring sends a webhook occasion to the API Gateway, together with the subscription ID and license key.
3. The API Gateway invokes a Lambda perform. The Lambda perform creates an API key utilizing the worth of the license key and assigns the API key to a utilization plan.
4. The client sends a request to the API Gatway. The request consists of the license key (= API key) within the header.
5. The API Gateway validates the API key and utilization plan after which forwards the request to the ALB.

What I like most concerning the resolution is its simplicity.

API Gateway REST APIs have two main limitations: the payload measurement is proscribed to 10 MB, and the request timeout is proscribed to 30 seconds.

Subsequent, let’s dive into some implementation particulars.

The Amazon API Gateway REST APIs help utilization plans and API keys. A utilization plan permits you to outline the goal request price per buyer, which is essential to defending your infrastructure from unintentional or malicious request flooding. Moreover, it’s doable to outline a quota for the utmost variety of requests per day, week, or month. The next CloudFormation snippet exhibits find out how to create a utilization plan limiting entry to 1 request per second and 10,000 per day, for instance.

It’s essential to say, that AWS doesn’t assure to use throttling and quotas 100% accuartely. Here’s what the AWS documentation says: “Utilization plan throttling and quotas will not be arduous limits, and are utilized on a best-effort foundation. In some instances, shoppers can exceed the quotas that you simply set. Don’t depend on utilization plan quotas or throttling to manage prices or block entry to an API.” In our situation, that’s a limitation we will reside with.

UsagePlan:
  Sort: 'AWS::ApiGateway::UsagePlan'
  Properties:
    UsagePlanName: 'demo'
    Description: '1 req/sec and 10,000 req/day'
    ApiStages:
    - ApiId: !Ref ApiGateway
      Stage: !Ref ApiStage
    Throttle:
      BurstLimit: 5
      RateLimit: 1
    Quota:
      Restrict: 10000
      Interval: DAY

The “new” Amazon API Gateway HTTP APIs nonetheless don’t help utilization plans. I’m utilizing the “legacy” possibility REST APIs right here.

As described above, FastSpring sends webhook occasions at any time when prospects create or cancel a subscription. The next JavaScript snippet exhibits how a Lambda perform parses the webhook occasion, creates an API key, and attaches the API key to the utilization plan.

import { APIGatewayClient, CreateApiKeyCommand, GetApiKeysCommand, UpdateApiKeyCommand, CreateUsagePlanKeyCommand } from '@aws-sdk/client-api-gateway';
import { createHmac } from 'node:crypto';

const apigw = new APIGatewayClient();

const WEBHOOK_SECRET = '...';
const USAGE_PLAN_ID = '...';

perform isValidSignature (occasion) {
  const fsSignature = occasion.headers['X-FS-Signature'];
  const computedSignature = createHmac('sha256', WEBHOOK_SECRET).replace(occasion.physique).digest().toString('base64');
  return fsSignature === computedSignature;
}

export const handler = async (occasion) => {
  if (occasion.path === '/v1/fastspring/webhook' && occasion.httpMethod === 'POST') {
    if (isValidSignature(occasion)) {
      const physique = JSON.parse(occasion.physique);
      for (const e of physique.occasions) {
        if (e.kind === 'subscription.activated') { 
          const apiKey = await apigw.ship(new CreateApiKeyCommand({
            identify: `subscription-${e.knowledge.subscription}`,
            description: `The license and API key for FastSpring subscription ${e.knowledge.subscription}.`,
            enabled: true,
            worth: e.knowledge.fulfillments['license_0'][0].license
          }));
          await apigw.ship(new CreateUsagePlanKeyCommand({
            usagePlanId: USAGE_PLAN_ID,
            keyId: apiKey.id,
            keyType: 'API_KEY'
          }));
        }
      }
      return {
        statusCode: 200,
        headers: {
          'Content material-Sort': 'utility/json'
        },
        physique: JSON.stringify({})
      };
    } else {
      return {
        statusCode: 403,
        headers: {
          'Content material-Sort': 'utility/json'
        },
        physique: JSON.stringify({error: 'Invalid signature.'})
      };  
    } 
  } else {
    return {
      statusCode: 404,
      headers: {
        'Content material-Sort': 'utility/json'
      },
      physique:  JSON.stringify({error: 'Not discovered.'})
    };    
  }
};

Final however not least, the API Gateway should be configured to validate the API key and utilization plan. The next CloudFormation snippet exhibits find out how to configure the API Gateway.

ApiGateway:
  Sort: 'AWS::ApiGateway::RestApi'
  Properties:
    ApiKeySourceType: HEADER
    Physique:
      'Fn::Rework':
        Title: 'AWS::Embrace'
        Parameters:
          Location: './api-schema.yml'
    Description: 'A cloudonaut.io instance.'
    Title: 'demo'
    EndpointConfiguration:
      Sorts: [ 'REGIONAL']

Particulars are outlined within the Swagger configuration file api-schema.yml references from the earlier CloudFormation snippet. Be aware that the trail /v1/demo requires an api_key to grant entry. The API Gateway forwards POST requests to /v1/demo to the backend system https://instance.com/api/v1/demo.

---
swagger: '2.0'
basePath: "https://cloudonaut.io/"
schemes:
- https
data:
  title: 'demo-api'
  model: '1.0.0'
x-amazon-apigateway-request-validators:
  fundamental:
    validateRequestBody: false
    validateRequestParameters: true
x-amazon-apigateway-request-validator: fundamental
securityDefinitions:
  api_key:
    kind: "apiKey"
    identify: "x-api-key"
    in: "header"
x-amazon-apigateway-gateway-responses:
  INVALID_API_KEY:
    statusCode: 401
    responseTemplates:
      'utility/json': '{"error": "Invalid API key."}'
  THROTTLED:
    statusCode: 429
    responseTemplates:
      'utility/json': '{"error": "Charge restrict exceeded."}'
  QUOTA_EXCEEDED:
    statusCode: 429
    responseTemplates:
      'utility/json': '{"error": "Quota exceeded."}'
paths:
  '/v1/demo':
    put up:
      safety:
      - api_key: []
      responses:
        "200":
          description: OK
      x-amazon-apigateway-integration:
        kind: 'http'
        httpMethod: 'POST'
        uri: 'https://instance.com/api/v1/demo'
        responses:
          default:
            statusCode: '200'
        passthroughBehavior: 'when_no_match'
        contentHandling: 'CONVERT_TO_BINARY'
definitions:
  Error:
    properties:
      error:
        kind: string
    required:
    - error

Need assistance with implementing the same resolution? Let me know!

Abstract

When promoting APIs to potential prospects who’re most certainly already AWS prospects, AWS Market is a superb alternative. Nonetheless, when promoting to potential prospects with out an AWS account, an answer consisting of API Gateway, utilization plans, API keys, Lambda, and FastSpring is an easy however highly effective different.