@Hichem Kedjour , Welcome to Apigee Community !

Great to know your startup is API First & Glad to hear about your business is 100% based on APIs.

Totally agree, Not necessarily you need Enterprise Plan, You can use SMB / Startup with Developer Portal which will cost few hundreds of dollars. Anyway, Let's jump into technical stuff keeping aside pricing plans & dollars.

In above implementation, I see a critical piece, which is Developer Portal. Looks like you might need Drupal based Apigee Developer Portal which offers flexibility to control who can see which products, roles based access, user management & many more instead of light weight portal that comes in Edge UI. You might need to contact Sales here to request Drupal based developer portal.

Let me tell you how Apigee can solve your business use cases,

The customer subscribe to one of our plans (prepaid payment)

We do have Monetization Add-On Product for Apigee Edge which offers plans, billing, packages, reports etc. Since, You are getting started i don't suggest this add-on which will cost more than what you can afford at this point of time. You can still achieve what you want to using API Products & Developer Portal. Here is how it works,

• Customer self registers in Developer Portal.
• Portal Administrator will approve the account after review & assign a role.
• Based on role, Customer will see list of API Products to which he can subscribe.

The customer receives credentials to connect to the API (Client Id and secret)

• Either you create an App on behalf of customer with API Products (API Plans) using his Email Address or Provide Developer Portal App Creation access to customer where he can pick the list of API products (API Plans) controlled based on above role restrictions.
• Customer sees the list of Apps that he got assigned / created in Developer Portal & gets the client id & secret.

The customer need also an access to API documentation

• You will publish interactive API Documentation to API Portal using Smartdocs in Apigee Developer Portal. See example here & here.
• You can fully control using RBAC who sees which API documentation in Developer Portal based on Roles & Permissions.

We need to manage the Quota

• Yes, That's one of the most basic & widely used feature in Apigee Edge. You can do seamlessly & Apigee offers all the flexibility to that. More details below.

How i will design this in Apigee :

• I will create an API Product for my API plans. You can also use Apigee Monetization which offers API Packages, Rate Limits , PrePaid , Post Paid plans but it's beyond your budget at this point of time. You can still achieve same using API Products & Developer Portal.

The problem is that the customer (developer ) can subscribe to any product. I didn’t find a way to limit a developer only to the products he paid for. And I don’t want to have manual approval.

This is not true. Using Apigee Developer Portal based on Drupal you can restrict API Products to customers . You can control which developer will see which API Product (API Plan) based on roles & permissions.

Your second approach :

It's kind of a hack you did. We won't recommend it. I will suggest using multiple API Products & API Products restriction, Quota based on API Product attributes, API Products access controlled by Developer Portal.

Since the authentication is now done by apigee edge, from your experience what is the best approach to secure my backend and limit the access to only apigee edge (my tenant)?

That'a a great question. We call it last mile security. We suggest two-way ssl. But, It's only available for paid accounts. You can also do simple last mile security using Basic Auth / OAuth / API Key to secure calls between Apigee & Backend.

Just FYI, Apigee Edge Startup plans costs 300$ + Drupal based Apigee Developer Portal 100$ / month. More details here.

Keep us posted if any. Hope it helps.

PS: @jwyatt FYI, Is there any way we can give trial access to Apigee Drupal based developer portal for prospect to play with ?