|  Login

Service Management API

The service management API allows you to integrate your API with the API Management solution directly. If you want to fast track it, check out the numerous code plugins which already code against the API, otherwise, if you want to do a custom integration, read on here.

Version

The current version of this API is v2.0, previous versions are deprecated. Older documentation is available here:

Servers

All calls for this API should go to the following domain unless you are advised otherwise by your account representative:

http://su1.3scale.net/

Note: this is a different endpoint from that used for the Account Management, Stats and Billing APIs.

Documentation

This document describes the protocol used for your API to communicate with 3scale backend server for authorizing and reporting transactions between your infrastructure and your API users.

Definitions

service
any web service implementing an API
provider
an organization, company or individual providing a service
application
a consumer endpoint of a web service (website, embeddable widget, desktop program, mobile application, HTTP enabled microwawe oven, …)
transaction
Single unit of interaction between an application and a service. In case of HTTP-base web services, this is usually one request-response exchange.
resource
Anything that is spent during a transaction and can be measured. This can be for example CPU time spent during the processing, or storage space used for storing some data, and so on.
metric
A way to measure a resource. For example: number of API hits, amout of disk space in megabytes, CPU time in miliseconds, …
provider key
Unique textual identifier of a provider.
application id
Public unique textual identifiier of an application.
application key
Secret key for authenticating transactions.

Operations

The API exposes a simple REST-based interface that provides these operations: authorize, and report.

AUTHORIZE

Read-only operation to authorize an application. It is used to check if a particular application exists, is active and is within usage limits of the service. It can be optionally used to authenticate a call using an application key.

GET /transactions/authorize.xml?app_id={app_id}&provider_key={provider_key}[&app_key={app_key}]

Parameters
provider_key
Provider key. Required.
app_id
Application id. Required.
app_key
Application key. Required only if it is defined for the application.
referrer
Referrer IP Address or Domain. Required if referrer filtering is enabled. If special value “*” (start) is passed, the referrer check is bypassed.
no_body
Specify this parameter to remove the HTTP body from the response. Optional. Example: no_body=true
usage
Predicted usage. Optional
Predicted usage

It’s possible to pass a “predicted usage” to the authorize call. This can serve two purposes:

  1. To make sure an API call won’t go over the limits before the call is made, if the usage of the call is known in advance. In this case, the estimated usage can be passed to the authorize call, and it will respond whether the actual API call is still within limit. In other words, without the usage parameter, authorize only checks the usage that has already been reported. If the usage parameter is passes in, it will check whether the already reported usage + the passed in predicted usage is still within limit.
  2. To limit the authorization only to a subset of metrics. If usage is passed in, only the metrics listed in it will be checked against the limits. For example: There are two metrics defined: searches and updates. updates are already over limit, but searches are not. In this case, the user should still be allowed to do a search call, but not an update one. To authorize this, pass usage[searches]=1 to the authorize call.

NOTE: Even if the predicted usage is passed in, authorize is still a read-only operation. You have to make the report call to report the usage.

NOTE: usage is an associative array of the form {metric : value}. Please reffer to the “Encoding complex data structures in URLs” appendix for more info.

Successful Response

Has status code 200 OK (if authorization is granted), 409 (if it’s not granted) and a body containing authorization result, failure reason (if authorization failed), the plan type and list of usage report entries for every current metric limit. If the no_body parameter is specified, there is no body in the response.

Example of successful authorize response

<status>
  <authorized>true</authorized>
  <plan>Pro</plan>

  <usage_reports>
    <usage_report metric="hits" period="month">
      <period_start>2010-08-01 00:00:00 +00:00</period_start>
      <period_end>2010-09-01 00:00:00 +00:00</period_end>
      <current_value>17344</current_value>
      <max_value>20000</max_value>
    </usage_report>

    <usage_report metric="hits" period="day">
      <period_start>2010-08-04 00:00:00 +00:00</period_start>
      <period_end>2010-08-05 00:00:00 +00:00</period_end>
      <current_value>732</current_value>
      <max_value>1000</max_value>
    </usage_report>
  </usage_reports/>
</status>

Example of failed authorize response (exceeded limits)

<status>
  <authorized>false</authorized>
  <reason>Usage limits are exceeded</reason>
  <plan>Pro</plan>

  <usage_reports>
    <usage_report metric="hits" period="month">
      <period_start>2010-08-01 00:00:00 +00:00</period_start>
      <period_end>2010-09-01 00:00:00 +00:00</period_end>
      <current_value>17344</current_value>
      <max_value>20000</max_value>
    </usage_report>

    <usage_report metric="hits" period="day" exceeded="true">
      <period_start>2010-08-04 00:00:00 +00:00</period_start>
      <period_end>2010-08-05 00:00:00 +00:00</period_end>
      <current_value>1042</current_value>
      <max_value>1000</max_value>
    </usage_report>
  </usage_reports/>
</status>

Explanation of the elements

status
Root element of the response.
authorized
Contains text “true” if the authorization was successful, or “false” if it failed.
reason
Human readable textual description of failure reason. This element appears only if authorize is false.
plan
Name of the plan the user is signed up to.
usage_reports
Contains list of usage_report elements – one per each usage limit defined for the plan the user is signed up to.
usage_report
Contains information about usage status. Contains these elements: period_start, period_end, current_value and max_value. Has attributes metric with the name of the metric the limit applies to, period, which is the period of the limit (year, month, week, day, hour, minute) and optionaly exceeded which is set to “true” if the limit is exceeded in the current period.
period_start
Start of the limit period. It’s in the form YYYY-MM-DD HH:MM:SS +ZZ:ZZ. +ZZ:ZZ (or -ZZ:ZZ) is a time offset (in hours and minutes) from UTC.
period_end
End of the limit period. Same format as period_start
current_value
Value of the corresponding metric accumulated so far in the current period.
max_value
Maximum value allowed by the usage limit.
Errors

In case of error, the response body contains an XML-formatted object with a single element error. This element has one attribute code containing a unique string identifier of the error. The content of this element is a human-readable English description of the error.

These are all possible error identifiers and their meanings:

provider_key_invalid
Provider key is not valid
application_not_found
Application with the given id does not exist.

This is an example of an error response:

<?xml version=“1.0” encoding=“utf-8” ?>
<error code=“application_not_found">Application with id="12345678" was not found</error>

Example Request

GET /transactions/authorize.xml?app_id=709deaac&provider_key=3a68df38cb310b2688b967f6e2cb1af6&app_key=b854fa63c30c5b1bc8c0fce8da1b2cf3 HTTP/1.1

Host: su1.3scale.net

Example Request with referrer

GET /transactions/authorize.xml?app_id=709deaac&provider_key=3a68df38cb310b2688b967f6e2cb1af6&app_key=b854fa63c30c5b1bc8c0fce8da1b2cf3&referrer=example.org HTTP/1.1

Host: su1.3scale.net

Example Request with usage

GET /transactions/authorize.xml?app_id=709deaac&provider_key=3a68df38cb310b2688b967f6e2cb1af6&app_key=b854fa63c30c5b1bc8c0fce8da1b2cf3&usage[hits]=1&usage[transfer]=1024 HTTP/1.1

Host: su1.3scale.net

AUTHREP

“One-shot” operation to authorize an application and report traffic. The only difference between this call and the regular authorize call is that metric usage will be reported if the authorization is successful.

GET /transactions/authrep.xml?app_id={app_id}&provider_key={provider_key}[&app_key={app_key}]&usage[hits]=1

Parameters
provider_key
Provider key. Required.
app_id
Application id. Required.
app_key
Application key. Required only if it is defined for the application.
referrer
Referrer IP Address or Domain. Required if referrer filtering is enabled. If special value “*” (start) is passed, the referrer check is bypassed.
no_body
Specify this parameter to remove the HTTP body from the response. Optional. Example: no_body=true
usage
Metric usage. If the authorization succeeds and the application is still within the limits with this usage, it’s aggregated to the application statistics and usage limits.
Usage

The usage parameters should be passed along in order to report traffic.

  1. This will make sure an API call won’t go over the limits. It will check whether the already reported usage + the passed in usage is still within limit.
  2. If the authorization is successful the usage will then be “reported” and aggregated for statistics and usage limits purposes. There is no need to make a second call to report the traffic since this is already taken care of.

NOTE: usage is an associative array of the form {metric : value}. Please refer to the “Encoding complex data structures in URLs” appendix for more info.

Successful Response

Has status code 200 OK (if authorization is granted – and therefore reported), 409 (if it’s not granted) and a body containing authorization result, failure reason (if authorization failed), the plan type and list of usage report entries for every current metric limit. If the no_body parameter is specified, there is no body in the response.

REPORT

This operation is used to report 3scale system about transactions. Any number of transactions can be reported in one request.

POST /transactions.xml

Parameters
transactions
List of parameters for each transaction in the batch. More details are explained below. Required.
provider_key
Provider key. Required.
The structure of the transactions parameter

The transactions should contain numerically indexed list of records, one for each transaction. Each record can contain these parameters:

app_id
Application ID. Required.
usage
Usage data of the transaction. This should be associative array (a hash) of the form: {metric =&gt; value, ...}, where metric is name of the metric that measures the particular resource (for example “storage” or “hits”) and value is any amount of the corresponding resource spend in the transaction. Required.
timestamp
If given, should be date and time when the transaction occured. It can be
specified in two ways: First, in UTC (Greenwitch time), second, in any other time zone.
In the first case, the timestamp has to be in this format: YYYY-MM-DD HH:MM:SS
for example 2009-01-01 17:45:02. In the second case, the format has to be YYYY-MM-DD HH:MM:SS +HH:MM or YYYY-MM-DD HH:MM:SS -HH:MM, where the +HH:MM
(or -HH:MM) part specifies the time offset from UTC in hours and minutes. For example, for timestamp in PST (Pacific Standard Time), it should look like this: 2009-01-01 22:15:31 -08:00. Optional. If not specified, the time when the transaction was received is used.

These parameters have to be encoded in HTTP POST request using the application/x-www-form-urlencoded media type. Please reffer to the “Encoding complex data structures in URLs” appendix for more info.

Successful Response

Has status code 202 Accepted and no response body

Errors

Processing transactions, especially if there is lot of them, can be time consuming task. To achieve low response times, most of the processing is actually done offline. Fot this reason, there are two ways the errors are reported:

Errors detected during request processing

Only one type of error can occur during request processing – invalid provider key. In case the provider key is not valid, the response has status code 403 Forbidden and the body contains XML document with description of the error. Example:

<?xml version=“1.0” encoding=“utf-8” ?>
<error code="provider_key_invalid">Provider key "abcd1234" is invalid</error>

Errors detected during offline processing

If an error occurs during offline processing, it’s description is stored and can be examined by visiting the provider admin area on www.3scale.net.

Errors that can occur in the offline processing are:

  • invalid application id
  • invalid metric
  • invalid usage value
  • general parsing failure

Note that transactions from a single batch are reported only if all of them are valid. If there is an error in processing of at least one of them, none is reported.

Example Request

POST /transactions.xml HTTP/1.1
Host: su1.3scale.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 428

transactions[0][app_id]=bce4c8f4&
transactions[0][usage][hits]=1&
transactions[0][usage][transfer]=4500&
transactions[0][timestamp]=2009-01-01%2014%3A23%3A08&
transactions[1][app_id]=bad7e480&
transactions[1][usage][hits]=1&
transactions[1][usage][transfer]=2840&
transactions[1][timestamp]=2009-01-01%2018%3A11%3A59&
provider_key=6085e39a9872a7dbfacdc6565b8a255a

Appendix: Encoding complex data structures in URLs

The usual way to encode a complex data structure (array, associative array, nested structures) is to “flatten” it.

For example, having this structure:

{
  "0": {
    "app_id": "bce4c8f4",
    "usage": {"hits": 1, "transfer": 4500},
    "timestamp": "2009-01-01 14:23:08"},

  "1": {
    "app_id": "bad7e480",
    "usage": {"hits": 1, "transfer": 2840},
    "timestamp": "2009-01-01 18:11:59"}}

It has to be encoded like this:

transactions[0][app_id]=bce4c8f4&
transactions[0][usage][hits]=1&
transactions[0][usage][transfer]=4500&
transactions[0][timestamp]=2009-01-01%2014%3A23%3A08&
transactions[1][app_id]=bad7e480&
transactions[1][usage][hits]=1&
transactions[1][usage][transfer]=2840&
transactions[1][timestamp]=2009-01-01%2018%3A11%3A59

(Note that spaces are encoded as %20 and colons as %3A according to URL encoding rules.)

Testimonials

“We wanted to give developers access to our data with as little impact on our organization as possible. True to their name, 3scale helped us scale the administration and tracking of our API program with minimal time and effort on our end.”

Cam Fortin - Director of Business Development of Wine.com

“API management is crucial to the success of our business. 3scale’s price, reliability, support and features made them a clear winner. 3scale does what they promise: API management made simple.”

Sean Jackson - Technical Architect of ScribeSEO.com

“We took a chance on 3scale by working with them very early on, but have been happy that we did.  Their service has been seamless and support excellent.”

Ted Dunning – Chief Technology Officer of Deepdyve

“If you need a lightweight and powerful API management provider you can implement in minutes, you’ll be hard pressed to find a better valued service than 3scale.”

Binh Tran - Co-founder of Klout.com
Follow us on