Thank you for your answer.

Actually, I am trying to find a way to set a quota based on the parameters of the request instead of the number of calls. For instance, user can request history data between two timestamps (the two timestamps - startDate and endDate) are parameters in the request) and I want to limit the number of days requested during a certain period (day, week, month...)

So I was thinking to use custom attributes to count the number of days requested but as you mentioned, that won't work.

How could I build a quota depending on parameters in the request?

Thank you in advance for your help!

Actually, I am trying to find a way to set a quota based on the parameters of the request instead of the number of calls.

When you say "set a quota", am I correct to understand that as "enforce an authorization check" ?

Quota is... a limit to the number of calls. From the way you described it, it sounds like you don't want to limit the number of calls, but rather you want to check whether a particular call should be allowed or not. A context-specific authorization check. Is that right?

For instance, user can request history data between two timestamps (the two timestamps - startDate and endDate) are parameters in the request) and I want to limit the number of days requested during a certain period (day, week, month...)

"Limit the number of days requested" ... it sounds like you want to ... for example, prevent a request that asks for a history of 20 days, but allow a request that asks for a history of 10 days. There is some threshold number of days; if the user asks for that number or less, it's ok. Otherwise it's not authorized. Is that what you want?

If so, it sounds more like a business rule. You could codify it in a JavaScript. Just check the startDate and EndDate and parse them into JavaScript date, normalize to number of days and compare against the threshold (for example 10 days). If the threshold varies across customers, and you have a different credential for each customer, then you could use a custom attribute to specify 10 days for one customer, 20 days for another. The JS logic is the same; the only difference is the threshold is dynamically determined.

If I haven't understood this correctly, I'm sorry. Maybe better would be a real-time conversation with someone at Apigee who can better discuss the requirement and how to meet it.

@Christophe Lalevee, FYI.

Thank you for your answer.

Actually my use case is a bit different. Let's take an example. I want to allow a user to get 50 days of history data over one week. So the user can make one single request for 50 days (and then he is blocked) or 10 requests for 5 days of history (and then he is bloacked). That is why I want to manage a counter per user (or app) based on the parameters of the request (startDate and endDate).

Do you figure out how to setup that kind of "custom counter"?

Thanks again for your support!

Jeremy

I think I understand. So you want to add up those days and then block any further requests from that app after exceeding the capped days?

Ok, so what you want to do is first create a product and specify the interval and time unit. For instance, 50 per 1 week.

Next, in your proxy, you will need to use JavaScript to get the diff between start_date and end_date. That will give you the count of days for that request. Make sure to use context.setVariable to create a variable with the number of days.

After the JS policy runs, use a quota policy and set the message weight to reference the variable you created in javascript.

That should do it. Let me know if any questions?

A few other key points, on the quota policy, make sure to set the identifier to the api key of the app. This allows you to enforce it per app.

Also, if you want to ensure users cannot go beyond the allotted amount, on the quota policy make sure to set distributed and synchronous equal to true.

Thank you very much for your support Robert. The use of message weight solved my problem!