How to Implement API Product Tiering with Kong Konnect

In this blog post, we'll talk about how to implement API product tiering, a powerful way to customize access, control usage, and monetize APIs. This model can help you scale efficiently while maintaining a smooth user experience. Read on to learn more!

We'll be talking about how to implement API product tiering with Kong Konnect, an API lifecycle management platform designed from the ground up for the cloud-native era and delivered as a service. This platform lets you build modern applications better, faster, and more securely. The management plane is hosted in the cloud by Kong, while you can choose to either host the data plane yourself in your preferred network environments or let Kong manage it for you in the cloud. 

Want to check out Kong Konnect? Click here to register for free.

What is API Product Tiering?

API product tiering, what is it? And how can Kong Konnect help you achieve it? API product tiering is a way of offering different levels of access, features and usage limits for APIs based on a customer's subscription plan or payment level. This helps organizations monetize their APIs, control resource usage, and cater to a wide range of users with varying needs.

Let’s begin by defining some key concepts related to API product tiering:

1. Different tiers for different Users:

• APIs are divided in different levels or “tiers.” As an example, free, basic, and premium.
• Each tier offers a different level of service capabilities. Higher tiers offer more features, with more access to the APIs themselves and better support. 

2. Rate Limits:

• Each tier can have its own rate limits which enforces controls on how many API requests a user can make within a given period. As an example, the Free tier gets 100 requests per month, the Basic tier gets 1,000 calls per month and the Premium gets 5,000 requests per month.
• The additional benefit to this is it allows you to manage your upstream application resources and scale appropriately. It can also prevent abuse and overload of upstream resources

3. Feature Access:

• Feature access will be granted based on the tier a user belongs to. Lower tiers (for example: free and basic) would only have access to a subset of features or API’s compared to the higher tiers like Basic and Premium which would have more/full access to features

4. Authentication and authorization:

• Users are given unique credentials like an API key or token when they subscribe to an API. These credentials are tied to the user and can be enforced when accessing different products.

5. Monetization:

• Providers of the APIs can then subsequently charge users based on their subscriptions. As an example, a free tier might offer limited access for testing purposes, while the paid tiers offer full access.
• This model helps companies generate revenue by selling higher value-based access to their API’s

6. Support and service level:

• Higher tiers often come with additional perks like priority support, dedicated account management, or service-level agreements (SLAs) that guarantee uptime and performance.

Example Scenario

Product tiering can work across many industries such as AI, e-commerce, healthcare, telecommunications, travel and hospitality, and banking to name a few. To showcase how this works in Konnect, let's come up with a fictitious company called FinTech Corporation, a financial services company. To keep things simple, they offer three different API Products: 

• Market Data API: Offers access to real-time and historical stock prices, foreign exchange rates, and financial news
• Account Information API: Provides access to users' bank account details, balances, and transaction history.
• Payment Processing API: Enables money transfers, bill payments, and peer-to-peer transactions.

This setup allows FinTech to cater to different customer segments, from small app developers to large enterprises needing full access to real-time data and high transaction volumes.

Achieving this in Konnect

Feeling efficient and want to test this out for yourself?  Just push the deck configuration directly into Konnect, using this Deck file. Be careful not to override any current configuration.

If you aren't familiar with Deck, follow this getting start guide. When authenticating with the control plane, you need to pass an access token. This link covers how to generate and use that token with Deck.

Set API Products

The first task is to define your APIs. Let’s expose and organize them into manageable products. To do this we will create routes and services in Konnect to correspond to your specific API endpoints.

Since this is just an example, I’m going to use a simple mocking service hosted by Kong, https://httpbin.konghq.com. We'll create the following services for our Market Data, Account Information, and Payment Processing API:

Each service will have a corresponding route to expose the APIs:

Enabling Authentication to Protect API Products

To secure the APIs, we can require authentication on the different APIs through the various authentication methods supported by Kong Gateway, including basic authentication, JWT, OpenID Connect, LDAP, and more.

To keep things simple let’s enable key authentication for all APIs. Once enabled, you need to provide a key to get access to these endpoints. I've set it globally, but it could be also scoped per service or route:

Provisioning of Consumer & Credentials

To represent the end users or applications that will access these products, we'll create consumers and provision a key authentication credential to get access to each product. I’ve labeled the users with their tiers so we can keep track of them. Adam is in the free tier, Ben is in the basic tier, and Charlie is in the premium tier. I've also created a secure credential for each consumer:

Creating Different Tiers with Consumer Groups

A useful component of Konnect is Consumer groups. Consumer groups provide the ability to organize consumers within an API ecosystem. By grouping consumers, you eliminate the need to manage them individually, providing a scalable, efficient approach to managing configurations. We can also scope policies (plugins in the Konnect world) to Consumer Groups. To achieve our use case, we will create three different Consumer groups, free, basic, and premium. These will represent the different tiers we outlined in the previous section.

We will also add the Consumers we created in the previous step to their corresponding Consumer Group/Tier:

• Adam is in the “Free” Consumer Group
• Ben is in the “Basic” Consumer Group
• Charlie is in the “Platinum” consumer Group

In a real-world scenario, you can have many consumers be part of a consumer group.

Limit Access with ACL plugin

Fintech Corporation has decided to limit access to specific products based on the tier they are in. We can leverage Konnects built-in ACL plugin with Consumer Groups to limit access based on each tier. 

• Market Data Service gives access to every tier
• Accounts just give access to Basic and Premium users
• Payments is just accessible by Premium users

Important Note: when configuring the ACL plugin there is a checkbox that enables the ACL plugin for Consumer Groups, it’s called “Include Consumer Groups.” Make sure this is enabled.

The market data product will allow access to all tiers/consumer groups:

The accounts product will only allow access to basic and premium:

Payments just allow access for premium consumers:

You now have three ACL plugins configured, one to each gateway service restricting access based on the consumer group the consumer or application is part of. The consumer group name in the “Allow” field is case-sensitive.

Apply Limits for each tier

Not only can we apply rate limits based on which product, but we can also scope it to a specific tier in Kong Konnect. This will allow us to implement rate limiting and access restrictions to enforce the boundaries of each tier.

We will leverage Konnect's advanced rate-limiting plugin to achieve this. When applying the configuration for each rate limit we need to do three things:

1. We need to scope the rate limit to a specific product (Gateway Service: Market Data, Accounts & Payments)
2. We need to scope the rate limit to the tier (Consumer Group: Free, Basic or Premium)
3. Set the rate limit we want for that product in that tier. 

For the Rate limit Advanced plugin configuration, the applied configuration will look something like this:

• Market Data Gateway Service will be scoped to the free consumer group with a limit of 100 RPM 
• Market Data Gateway Service will be scoped to the basic consumer group with a limit of 1,000 RPM
• Market Data Gateway Service will be scoped to the premiums consumer group with a limit of 5,000 RPM
• Accounts Gateway Service will be scoped to the basic consumer group with a limit of 500 RPM
• Accounts Gateway Service will be scoped to the premium consumer group with a limit of 2,500 RPM
• Payments Gateway Service will be scoped to the premium consumer group with a limit of 1000 RPM

For example, this is what it would look like for the rate limit advanced plugin applied to the free tier market data product:

Once you’ve scoped the specific rate limits per minute for each consumer group on the three different gateway services we have, it should look like this:

And that’s it, we should have now successfully set up our different tiers with the correct request limits for each tier.

Testing

Let's verify the tiering model we’ve implemented works as expected.  I’m going to use my favorite design, testing, and debug tool for APIs called Insomnia. Let’s access the APIs with Adam, who’s part of the free tier and therefore only has access to market data API.  As we can see, Adam has access but as can be seen in the header information, he’s being limited to 100 requests per minute:

If Adam tries to access a product that he does not have access to like the accounts or payments product, he will get denied with a 403 error. 

Let’s now test with Ben by accessing the account's products and we can see that the limit is much higher at 500 requests per minute:

Conclusion

API product tiering offers a powerful way to customize access, control usage, and monetize your APIs while catering to a wide range of users. Whether you’re offering limited access to developers just getting started or premium features, this model helps you scale efficiently while maintaining a smooth user experience.

Kong Konnect simplifies this process by providing a robust API lifecycle management platform that integrates essential features like authentication, rate limiting, consumers management, and analytics.

Companies like our fictitious FinTech Corporation can deliver tailored solutions, maximize value for users, and unlock new revenue streams. Whether your business is in financial services, e-commerce, healthcare, or any other sector, leveraging API management with Kong Konnect is a step toward building smarter, more scalable, and user-friendly applications.

Resources

• Kong Konnect Documentation: https://docs.konghq.com/konnect/
• Key Authentication: https://docs.konghq.com/hub/kong-inc/key-auth/
• ACL: https://docs.konghq.com/hub/kong-inc/acl/
• Rate Limiting Advanced: https://docs.konghq.com/hub/kong-inc/rate-limiting-advanced/
• Consumer groups: https://docs.konghq.com/konnect/gateway-manager/configuration/consumer-groups/#main
• Deck: https://docs.konghq.com/deck/latest/
• Insomnia: https://insomnia.rest/