API tokens with cached content

So I’m struggling to figure out if and how I can integrate Cloudflare’s caching into my API while still controlling access through my own API key system. I found an article from 2017 talking about using an hmac token system, as well as a document detailing an example firewall setting.

On the article, it seems to reference that a business account is needed, but I can’t tell if this is an old requirement or what feature it is referring to that is missing from pro. As far as the documentation I’ve found, I’m unsure of how I could get this to match my use case since it seems to be mostly centered around a single site use, versus a public api with thousands of keys and millions of user requests from different sites. I’ve also seen ways of possibly doing this with workers, but at $0.50 per million it would end up costing more than I can competitively charge for my api. My competitor seems to use cloudflare as well, but I’m unsure if they use caching. So while a business subscription would be fine, having to incur per request costs would not be worth it.

For my current system, my customers subscribe to my API and are able to request public API keys. With those keys they can put various restrictions on stuff like domain referrer headers, rate limits, and view individual key analytics. Requests are made to a url like /request/12345.file?key=publickey123, and those can come from end user’s browsers or the customer’s servers themselves.

My initial thoughts go to adding extra hoops of making users request hmac keys for every session, but even with that I’m unsure how to do it without having firewall settings for every api key and ip, not to mention the hurdles of tracking analytics for proper customer billing.

So am I missing a setup or feature that could help me with this, or if it’s ok to ask, is their another product that might help ease my bandwidth burdens? Thanks!

Is the API requesting your own business system?
Just in the program, the restriction is determined based on the user request key.

Yes, I believe so.

My API supplies my business customers with a source for image and vector files, which their users can load directly through dynamic webpages and apps. I track and limit use of the images based on the API keys, and allow my customers to choose their own limits as well through options in my API program.

This topic was automatically closed after 30 days. New replies are no longer allowed.