Introduction to Quotas and Governance

Moesif’s Governance Rules feature allows you to automatically enforce quotas or restrict access to your APIs based on user behavior or specific account conditions, such as a user having no pre-paid credits left for a monetized API. Governance rules can help your company adopt a robust API governance policy that complements business growth and improves user experiences through proper regulation and feature optimization.

Governance rules work by interacting with your Moesif server integration to block or modify the response on the fly, or both.

Governance SDK interaction

For governance rules to work, you only need to install a Moesif server integration. This includes user and company tracking, depending on the rules you require. A governance rule can make decisions from not only API requests, but you can add governance rules based on any customer demographics or behavior that Moesif can track—for example, blocking customers with overdue invoices or adding paywalls to your API.

Use Cases and Benefits

Moesif’s governance rules allow you to enforce various policies and business logic for different scenarios. They can help you maintain sustainable growth and improve your business model by extending quotas and governance from a business level to complement the engineering-level governance that most API gateways and management platforms provide.

The following examples illustrate some common use cases that companies leverage governance rules for:

  • If you monetize your API with a prepaid billing model, you can create a governance rule to block customers once they run out of credits or have a negative account balance.
  • Enforce various security and business policies to protect your API, such as blocking bad actors from scraping an abnormally large amount of data.
  • Leverage governance rules to add custom HTTP headers. For example, deprecation warning headers when your customers access an older version of your API.
  • Implement various subscription policies according to your business model. For example, it automatically grants and revokes access for different subscription tiers, enforces quotas and limits for users of different tiers, and so on.

When to Use Moesif Governance Rules

Not for Traditional Rate Limiting

Moesif Governance Rules is not designed as a replacement for traditional rate limiting or request-per-minute (RPM) blocking that API gateways typically handle. If your primary need is to block users who exceed a certain number of requests per second or minute, traditional API gateways or middleware solutions are more appropriate tools for this purpose.

Designed for Longer-Term and Complex Governance

Instead, Moesif Governance Rules excels at:

  • Longer-term quotas: Enforcing limits over days, weeks, or months rather than seconds or minutes
  • Complex business rules: Implementing sophisticated logic based on customer behavior, demographics, or usage patterns
  • Multi-dimensional governance: Making decisions based on combinations of factors beyond simple request counting

For example, while an API gateway might block a user who makes more than 100 requests per minute (a technical constraint), Moesif can block users who have consumed their monthly API quota of 10,000 requests, or who have accessed premium endpoints without the appropriate subscription tier (business constraints).

Complex Abuse Detection

Moesif is particularly powerful for detecting and preventing complex abuse scenarios that simple RPM controls cannot address:

  • Blocking users who show unusual access patterns across multiple endpoints
  • Identifying and restricting access when a user’s behavior indicates data scraping or intellectual property theft
  • Enforcing sophisticated fair-use policies that consider the value or computational cost of different endpoints

In a layered API security strategy, API gateways handle the immediate, high-frequency technical constraints while Moesif Governance Rules manages the business-aligned, longer-term, and more complex governance needs.

Updated: