What is a Plan?
A plan is a set of policies that defines the level of service API Management provides for an API. When a private API is consumed, it may be consumed through a plan.
An organization can have multiple plans associated with it. Typically each plan within an organization consists of the same set of policies but with different configuration details.
| Example: Within the ACME Corp. Organization three differents plans have been created: - A Gold plan with a rate limiting policy that restricts consumers to 10.000 requests per day.
- A Silver plan with a rate limiting policy that restricts consumers to 1.000 requests per day.
- A Bronze plan with a rate limiting policy that restricts consumers to 100 requests per day.
|
Once a plan has been fully configured - all desired policies have been added and customized - the plan must be locked. Only locked plans can be used by APIs. This is necessary to prevent that API providers change the details of the plan while the client developers are already using it.
API Contracts and API Keys
Only public APIs can be accessed by any consumer. The only way for a client to consume a private API is by using an API contract. An API contract is a link between a client and an API through a plan offered by that API.
API contracts can only be created between clients and published APIs which are offered through at least one plan. An API contract cannot be created between a client and a public API.
When a client version is created, the system generates a unique API Key. This key is unique per client version and the same for all contracts of this version. All requests made to the API by a client through the gateway must include this API Key to identify the used client version.
However, the API Key is not a security feature! API Keys are not encrypted and visible:
- in the request header,
- to people who have access to API Management metrics/the Log Analyzer,
- in the logs of the integration component (Bridge) if you are using the API Key policy.
So, API Keys need to be handled in a secure way - otherwise attackers may be able to use the API Key to gain access to your system.
Finding a Plan
If you are looking for a plan that has already been created, go to tab My Plans. It shows a list of all plans your user is allowed to see, grouped by organization:
To revise the settings of a plan (only possible if the plan is not locked yet), you need to open its details page (see Plan Settings for further information).