Implementing API Access Sales (by Key/Subscription) on Website
API monetization — selling access to your data or capabilities to third-party developers. Buyers receive an API key with request quota and methods corresponding to their selected plan.
API Key and Plan Structure
CREATE TABLE api_plans (
id SERIAL PRIMARY KEY,
name TEXT,
requests_per_month INTEGER, -- -1 = unlimited
requests_per_minute INTEGER,
endpoints JSONB, -- ['GET /v1/products', 'GET /v1/orders']
price_monthly NUMERIC(10,2),
);
CREATE TABLE api_keys (
id BIGSERIAL PRIMARY KEY,
user_id BIGINT REFERENCES users(id),
plan_id INTEGER REFERENCES api_plans(id),
key_hash TEXT UNIQUE, -- bcrypt hash of key
key_prefix CHAR(8), -- first 8 characters for display
status TEXT, -- active, revoked, expired
expires_at TIMESTAMPTZ,
created_at TIMESTAMPTZ DEFAULT NOW()
);
CREATE TABLE api_usage (
id BIGSERIAL PRIMARY KEY,
api_key_id BIGINT,
endpoint TEXT,
method TEXT,
status_code SMALLINT,
response_ms INTEGER,
created_at TIMESTAMPTZ DEFAULT NOW()
);
Key Generation and Storage
class ApiKeyService
{
public function generate(int $userId, int $planId): array
{
$rawKey = 'sk_' . Str::random(48); // Example: sk_A1B2C3D4...
ApiKey::create([
'user_id' => $userId,
'plan_id' => $planId,
'key_hash' => Hash::make($rawKey),
'key_prefix' => substr($rawKey, 0, 8),
'status' => 'active',
]);
// Key is shown to user ONCE — after that only the hash
return ['key' => $rawKey, 'prefix' => substr($rawKey, 0, 8)];
}
}
API Authentication Middleware
class ApiKeyAuthMiddleware
{
public function handle(Request $request, Closure $next): Response
{
$rawKey = $request->header('X-API-Key')
?? $request->bearerToken()
?? $request->query('api_key');
if (!$rawKey) {
return response()->json(['error' => 'API key required'], 401);
}
// Quick lookup by prefix, then hash verification
$prefix = substr($rawKey, 0, 8);
$apiKey = ApiKey::where('key_prefix', $prefix)->where('status', 'active')->first();
if (!$apiKey || !Hash::check($rawKey, $apiKey->key_hash)) {
return response()->json(['error' => 'Invalid API key'], 401);
}
$request->setApiKey($apiKey);
return $next($request);
}
}
Rate Limiting
class ApiRateLimiter
{
public function check(ApiKey $apiKey): RateLimitResult
{
$plan = $apiKey->plan;
// Per-minute limit via Redis sliding window
$minuteKey = "rate:{$apiKey->id}:minute:" . floor(time() / 60);
$minuteCount = Redis::incr($minuteKey);
Redis::expire($minuteKey, 120);
if ($minuteCount > $plan->requests_per_minute) {
return RateLimitResult::exceeded(
limit: $plan->requests_per_minute,
reset: (floor(time() / 60) + 1) * 60
);
}
// Monthly limit
$monthKey = "rate:{$apiKey->id}:month:" . date('Y-m');
$monthCount = Redis::incr($monthKey);
Redis::expireat($monthKey, strtotime('first day of next month'));
if ($plan->requests_per_month !== -1 && $monthCount > $plan->requests_per_month) {
return RateLimitResult::quotaExceeded($plan->requests_per_month);
}
return RateLimitResult::ok(
remaining: $plan->requests_per_month === -1
? null
: $plan->requests_per_month - $monthCount
);
}
}
API Usage Dashboard
function ApiUsageDashboard({ apiKeyId }: Props) {
const { data } = useQuery({
queryKey: ['api-usage', apiKeyId],
queryFn: () => fetchUsageStats(apiKeyId),
});
return (
<div className="grid grid-cols-3 gap-6">
<StatCard label="Requests today" value={data?.today} />
<StatCard label="Requests this month" value={data?.month} limit={data?.monthLimit} />
<StatCard label="Avg response time (ms)" value={data?.avgResponseMs} />
</div>
);
}
Timeline
API monetization with keys, plans, and rate limiting: 8–12 business days.