This post highlights how you could use [Kong Gateway](https://konghq.com/kong)Kong Gateway to implement a solution for the [Australian Consumer Data Standards (CDS)](https://consumerdatastandardsaustralia.github.io/standards/#introduction)Australian Consumer Data Standards (CDS), which is part of the [Consumer Data Right](https://www.accc.gov.au/focus-areas/consumer-data-right-cdr-0)Consumer Data Right legislation introduced by the Australian Government in November 2017.
As detailed on the Australian [ACCC](https://www.accc.gov.au/focus-areas/consumer-data-right-cdr-0)ACCC website:
*CDR will give consumers greater access to and control over their data and will improve consumers' ability to compare and switch between products and services. It will encourage competition between service providers, leading not only to better prices for customers but also more innovative products and services. CDR will first apply to the banking sector, followed by the *[*energy sector*](https://www.accc.gov.au/focus-areas/consumer-data-right-cdr/energy-cdr)*energy sector**. The telecommunications sector is currently proposed to follow.*
Kong Gateway covers many of the CDS requirements using out-of-the-box features in conjunction with using [Kong plugins](https://docs.konghq.com/hub)Kong plugins, such as the [OpenID Connect](https://docs.konghq.com/hub/kong-inc/openid-connect)OpenID Connect (OIDC) and [CORS](https://docs.konghq.com/hub/kong-inc/cors)CORS.
This blog post will focus on specific features provided by Kong to support CDS and CDR, including CDS Versioning and CDS Traffic Thresholds. These implementation details target the initial rollout of CDS to the banking sector. Some of [Kong's banking customers in Australia](https://konghq.com/case-study/anz-unlocks-open-banking-with-kong-konnect)Kong's banking customers in Australia are currently using these CDS artifacts in production. We can also utilize this solution to support telecommunications and energy sectors in the future.
Two major CDS requirements that are the focus of this blog post are Traffic Thresholds and Versioning, as detailed in the [Standards](https://consumerdatastandardsaustralia.github.io/standards/#standards)Standards and [Non-functional Requirements](https://consumerdatastandardsaustralia.github.io/standards/#non-functional-requirements)Non-functional Requirements sections of the Consumer Data Standards.
Calls above the [CDS Traffic Thresholds](https://consumerdatastandardsaustralia.github.io/standards/#traffic-thresholds)CDS Traffic Thresholds will be freely throttled or rejected. Limits are based on the number of individual sessions per day, transactions per second (TPS) and calls for a specified duration. These limits are applied independently for different consumer types, as explained below.
**Data Recipient **is a configured application that is presented in the register metadata. This acknowledges that a single accredited entity may register multiple independent services (or apps) that can obtain authorizations from consumers independently of each other.
**A Session **is defined as the lifespan of a unique Access Token. Multiple API requests made with a single valid Access Token would be considered part of a single Session.
**Customer Present **are authenticated API requests made in direct response to interactions by the end customer using the digital services of the data recipient. Technically, a data holder will define an API request as "Customer Present" if the "x-fapi-customer-ip-address" header is populated with a valid IP address of the end customer's device.
**Customer Not Present **is authenticated API requests that are not deemed to be "Customer Present."
**Unattended **is a synonym of "Customer Not Present."
Kong's CDS Traffic Thresholds plugin extends the enterprise functionality of the [Advanced Rate Limiting plugin](https://docs.konghq.com/hub/kong-inc/rate-limiting-advanced)Advanced Rate Limiting plugin to cater to the CDS Traffic Threshold requirements. This plugin implements the sliding window algorithm for high accuracy rate limits. See this [blog post](https://konghq.com/blog/how-to-design-a-scalable-rate-limiting-algorithm)blog post for more information on the benefits of the sliding window algorithm.
The high-level logic for determining both rate and session limits is detailed below. Note that for security, the plugin expects HTTP headers to be passed in as internal variables using [kong.ctx.shared](https://docs.konghq.com/gateway-oss/2.4.x/pdk/kong.ctx/#kongctxshared)kong.ctx.shared, and in the case of the session ID, hashed so that it never appears as clear text.
The following table displays the available plugin schema properties applicable to the CDS Session and rate limits described above:
**Parameter****Description**config.high_traffic_time.finishEnd of high traffic time periodconfig.high_traffic_time.startStart of high traffic time periodconfig.max_attended_customer_tpsIf attended, that is, if http_x_fapi_customer_ip_address and Customer_Id exists in HTTP headers, define max TPSconfig.max_data_recipient_tpsMax TPS for the data recipient, as defined by the Data Recipient HTTP Headerconfig.max_private_tpsMax TPS for private secure traffic, that is, if Customer Id HTTP Header exists or unattended trafficconfig.max_unattended_per_session_lowNumber of sessions allowed per session, per customer id, per data recipientconfig.max_unattended_session_tps_lowIf unattended, that is if http_x_fapi_customer_ip_address does not exist in HTTP headers, set max new sessions outside of high traffic timeconfig.max_unattended_sessions_lowIf unattended, that is if http_x_fapi_customer_ip_address does not exist in HTTP headers, set max new sessions outside of high traffic timeconfig.max_public_tpsIf no Customer Id exists in the request, then apply the Public TPS limitCDS Traffic Thresholds defines the following limits:
Customer present and authorization traffic thresholds:
Unattended traffic thresholds will apply for low traffic periods:
For Unattended traffic during high-traffic periods, only best-effort support is required.
Secure traffic (both Customer Present and Unattended) thresholds:
Public traffic (i.e., traffic to unauthenticated endpoints) thresholds:
Here's how easy it is to apply the above limits to the plugin:
curl -s http://localhost:8001/services/example-service/plugins/ \
-d name=cds-traffic-thresholds \
-d config.max_attended_customer_tps=10 \
-d config.max_data_recipient_tps=50 \
-d config.max_unattended_sessions_low=20 \
-d config.max_unattended_per_session_low=100 \
-d config.max_unattended_session_tps_low=5 \
-d config.max_private_tps=300 \
-d config.max_public_tps=300 \
-d config.sync_rate=0 \
-d config.redis.host=kong-ee-redis \
-d config.redis.port=6379 \The CDS has adopted a two-level [versioning](https://consumerdatastandardsaustralia.github.io/standards/#versioning)versioning strategy. The high-level standards, including principles, Uniform Resource Identifier (URI) structure, endpoint versioning, payload naming conventions, etc., can be versioned. Each API endpoint will have an additional version specific to that endpoint. For endpoint versioning, each endpoint will have multiple versions independent of other endpoints. A consumer will request a specific endpoint using an HTTP header:
**x-v (Mandatory)**
**x-min-v (Optional)**
The plugin works similarly to the [Kong Route By Header plugin](https://docs.konghq.com/hub/kong-inc/route-by-header)Kong Route By Header plugin in that it overrides the normal upstream selection logic based on request HTTP headers.
The CDS requirement is to support multiple major and minor versions. In facilitate request routing, major (x-v) and minor (x-min-v) version header values will determine the exact application route based on a logic, such as, if x-min-v > x-v is an error case, while invalid x-v and valid x-min-v responds with resource supporting x-min-v. This logic is built into the CDS versioning plugin.
The following table displays the available plugin schema properties applicable to the CDS Versioning requirements described above:
**Parameter****Description**config.versionsAccepts an array of JSON to match version with an upstream name, for example, {“versions”:[{“major”: 1, “minor”: 3, “upstream_name”: “myapi”}This curl command shows how straightforward it is to configure the plugin:
curl -i http://localhost:8001/routes/example-v1/plugins \
-H 'Content-Type: application/json' \
-d '{"name": "cds-versioning", "config": {"versions":[{"major": 1, "minor": 3, "upstream_name": "myapi"}]}}'The specific requirements for Traffic Thresholds and Versioning are complex. Traffic Thresholds, in particular, require two types of limits for request rate limiting, tracking daily sessions and logic for the various request classifications. Using the Kong CDS plugins hides this complexity, and together with Kong Gateway Enterprise's features, provides a real-world solution to the Australian Consumer Data Standards.
**If you are an existing customer and want more information on the CDS plugins, contact your Kong customer experience manager. If you're not a customer, then reach out to your local **[**Kong Sales Team**](https://konghq.com/contact-sales)**Kong Sales Team****.**
Traditional APIs are, in a word, predictable. You know what you're getting: Compute costs that don't surprise you Traffic patterns that behave themselves Clean, well-defined request and response cycles AI APIs, especially anything that runs on LLMs
[](https://konghq.com/blog/engineering/monetize-ai-apis)
Unify the API and Eventing Developer Experience with the Kong Event Gateway and API Platform Introduction: The EDA and API worlds are converging . . . finally For the past several years, there have been murmurs of an incoming convergence between API
[](https://konghq.com/blog/enterprise/kafka-event-streaming-api-platform)
As of May 2024, Kong Gateway Enterprise 3.3.x.x will enter its End Of Life (EOL) phase and will no longer be a part of the full support cycle. Following this, Kong Gateway Enterprise 3.3.x.x will enter a 12-month sunset support period, exclusively f
[](https://konghq.com/blog/enterprise/kong-gateway-enterprise-3-3-x-x-eol)
We're thrilled to announce the general availability of Kong Gateway Enterprise 3.6. This version brings security, efficiency, and standards conformance to enterprise applications. Plus, Kong AI Gateway , which you can learn more about here . Let’s
[](https://konghq.com/blog/enterprise/kong-gateway-enterprise-3-6)As of February 2024, Kong Gateway Enterprise 3.2.x.x will enter its End Of Life (EOL) phase and out of the full support cycle. Following this, Kong Gateway Enterprise 3.2.x.x will enter a 12-month sunset support period, exclusively focused on helpin
[](https://konghq.com/blog/enterprise/kong-gateway-enterprise-3-2-x-x-eol)
Power up application modernization and migration using Kong Gateway Enterprise and Amazon EKS Anywhere Bare Metal One of the most critical requirements for an Application Modernization project is to support workloads running on multiple platforms. I
[](https://konghq.com/blog/enterprise/kong-gateway-enterprise-amazon-eks-anywhere-bare-metal)
In this episode of Kongcast , I spoke with Grant McKeen and Jonathan White from IntegrationWorks about how open banking and BIAN (Banking Industry Architecture Network) work with Kong Gateway to create simplicity from complexity in the ba
[](https://konghq.com/blog/enterprise/open-banking-bian)