Validate parameters based on developer/app

We've got a use case where we want to restrict the values each developer can submit to our API. Each developer will have a set (1-20) of allowed values for a parameter called 'location'. As each location is a latitude/longitude pair it's very unlikely that two developers would ever have the same location in their sets. I've considered seeing the allowable values in a custom attribute for each developer or app, but perhaps there is a better way. Has anyone got any suggestions?

0 3 229
3 REPLIES 3

A Custom attribute, either on the developer or on the app, seems like a good workable way to do what you want.

Let's say you have 5 Developers, each with 2 apps. Setting up the allowed location on each developer should be pretty easy. and it won't be too difficult to modify the set of registered locations. You can sort of manually do integrity checks (make sure each long/lat is unique).

On the other hand, You might also consider externalizing the lookup of the "allowed" values... into some independent datastore. For example, if you have 500 developers, or 50,000 apps, well then now it probably makes sense to store that information in some external DB. This gives you more power to manage those entries, and also perform automated validity and integrity checks. and then you can design your API Proxies to call into that DB at runtime (eg, via ServiceCallout) to retrieve the information. Another possible reason to store the information externally is if you need to have an audit trail or a distinct administrative control over changes to the information.

I can definitely see the wisdom in keeping the app/param settings in a database. Is there a feature within Apigee that could be used for that purpose? We have one already but because of its age and general clunkiness we have decided to grant our Apigee proxy one account with great access and was hoping it would handle restricting the devs.

The custom attributes are a way to hang data off the existing Apigee entities. If you want an external database, you can use any cloud-based thing I suppose - Google cloud Firestore is a good example. Or your old legacy DB. A good way to restrict access to that is to wrap the DB in a service which exposes only a few curated queries. That service might be hosted in App Engine or an Apigee-based proxy. I guess how it is best solved, depends on which tools in your toolbox you prefer to use!