Example Scenario

Product tiering can work across many industries such as AI, e-commerce, healthcare, telecommunications, travel and hospitality, and banking to name a few. To showcase how this works in Konnect, let's come up with a fictitious company called FinTech Corporation, a financial services company. To keep things simple, they offer three different API Products: 

• Market Data API: Offers access to real-time and historical stock prices, foreign exchange rates, and financial news
• Account Information API: Provides access to users' bank account details, balances, and transaction history.
• Payment Processing API: Enables money transfers, bill payments, and peer-to-peer transactions.

This setup allows FinTech to cater to different customer segments, from small app developers to large enterprises needing full access to real-time data and high transaction volumes.

Achieving this in Konnect

Feeling efficient and want to test this out for yourself?  Just push the deck configuration directly into Konnect, using this Deck file. Be careful not to override any current configuration.

If you aren't familiar with Deck, follow this getting start guide. When authenticating with the control plane, you need to pass an access token. This link covers how to generate and use that token with Deck.

Set API Products

The first task is to define your APIs. Let’s expose and organize them into manageable products. To do this we will create routes and services in Konnect to correspond to your specific API endpoints.

Since this is just an example, I’m going to use a simple mocking service hosted by Kong, https://httpbin.konghq.com. We'll create the following services for our Market Data, Account Information, and Payment Processing API:

Each service will have a corresponding route to expose the APIs:

Enabling Authentication to Protect API Products

To secure the APIs, we can require authentication on the different APIs through the various authentication methods supported by Kong Gateway, including basic authentication, JWT, OpenID Connect, LDAP, and more.

To keep things simple let’s enable key authentication for all APIs. Once enabled, you need to provide a key to get access to these endpoints. I've set it globally, but it could be also scoped per service or route:

Provisioning of Consumer & Credentials

To represent the end users or applications that will access these products, we'll create consumers and provision a key authentication credential to get access to each product. I’ve labeled the users with their tiers so we can keep track of them. Adam is in the free tier, Ben is in the basic tier, and Charlie is in the premium tier. I've also created a secure credential for each consumer:

Creating Different Tiers with Consumer Groups

A useful component of Konnect is Consumer groups. Consumer groups provide the ability to organize consumers within an API ecosystem. By grouping consumers, you eliminate the need to manage them individually, providing a scalable, efficient approach to managing configurations. We can also scope policies (plugins in the Konnect world) to Consumer Groups. To achieve our use case, we will create three different Consumer groups, free, basic, and premium. These will represent the different tiers we outlined in the previous section.

We will also add the Consumers we created in the previous step to their corresponding Consumer Group/Tier:

• Adam is in the “Free” Consumer Group
• Ben is in the “Basic” Consumer Group
• Charlie is in the “Platinum” consumer Group

In a real-world scenario, you can have many consumers be part of a consumer group.

Limit Access with ACL plugin

Fintech Corporation has decided to limit access to specific products based on the tier they are in. We can leverage Konnects built-in ACL plugin with Consumer Groups to limit access based on each tier. 

• Market Data Service gives access to every tier
• Accounts just give access to Basic and Premium users
• Payments is just accessible by Premium users

Important Note: when configuring the ACL plugin there is a checkbox that enables the ACL plugin for Consumer Groups, it’s called “Include Consumer Groups.” Make sure this is enabled.

The market data product will allow access to all tiers/consumer groups:

The accounts product will only allow access to basic and premium:

Payments just allow access for premium consumers:

You now have three ACL plugins configured, one to each gateway service restricting access based on the consumer group the consumer or application is part of. The consumer group name in the “Allow” field is case-sensitive.

Apply Limits for each tier

Not only can we apply rate limits based on which product, but we can also scope it to a specific tier in Kong Konnect. This will allow us to implement rate limiting and access restrictions to enforce the boundaries of each tier.

We will leverage Konnect's advanced rate-limiting plugin to achieve this. When applying the configuration for each rate limit we need to do three things:

1. We need to scope the rate limit to a specific product (Gateway Service: Market Data, Accounts & Payments)
2. We need to scope the rate limit to the tier (Consumer Group: Free, Basic or Premium)
3. Set the rate limit we want for that product in that tier. 

For the Rate limit Advanced plugin configuration, the applied configuration will look something like this:

• Market Data Gateway Service will be scoped to the free consumer group with a limit of 100 RPM 
• Market Data Gateway Service will be scoped to the basic consumer group with a limit of 1,000 RPM
• Market Data Gateway Service will be scoped to the premiums consumer group with a limit of 5,000 RPM
• Accounts Gateway Service will be scoped to the basic consumer group with a limit of 500 RPM
• Accounts Gateway Service will be scoped to the premium consumer group with a limit of 2,500 RPM
• Payments Gateway Service will be scoped to the premium consumer group with a limit of 1000 RPM

For example, this is what it would look like for the rate limit advanced plugin applied to the free tier market data product:

Once you’ve scoped the specific rate limits per minute for each consumer group on the three different gateway services we have, it should look like this:

And that’s it, we should have now successfully set up our different tiers with the correct request limits for each tier.

Testing

Let's verify the tiering model we’ve implemented works as expected.  I’m going to use my favorite design, testing, and debug tool for APIs called Insomnia. Let’s access the APIs with Adam, who’s part of the free tier and therefore only has access to market data API.  As we can see, Adam has access but as can be seen in the header information, he’s being limited to 100 requests per minute:

If Adam tries to access a product that he does not have access to like the accounts or payments product, he will get denied with a 403 error. 

Let’s now test with Ben by accessing the account's products and we can see that the limit is much higher at 500 requests per minute:

Conclusion

API product tiering offers a powerful way to customize access, control usage, and monetize your APIs while catering to a wide range of users. Whether you’re offering limited access to developers just getting started or premium features, this model helps you scale efficiently while maintaining a smooth user experience.

Kong Konnect simplifies this process by providing a robust API lifecycle management platform that integrates essential features like authentication, rate limiting, consumers management, and analytics.

Companies like our fictitious FinTech Corporation can deliver tailored solutions, maximize value for users, and unlock new revenue streams. Whether your business is in financial services, e-commerce, healthcare, or any other sector, leveraging API management with Kong Konnect is a step toward building smarter, more scalable, and user-friendly applications.