1
00:00:00,110 --> 00:00:01,700
‫So we have now created our API,

2
00:00:01,700 --> 00:00:04,760
‫and it is time to make it available for our customers,

3
00:00:04,760 --> 00:00:07,060
‫and we may wanna charge them some money for it.

4
00:00:07,060 --> 00:00:11,000
‫So for this, there is a concept of usage plans and API keys.

5
00:00:11,000 --> 00:00:13,220
‫So the way it works, that we create a usage plan,

6
00:00:13,220 --> 00:00:14,763
‫in which we define, who can access

7
00:00:14,763 --> 00:00:17,046
‫one or more API stages and method,

8
00:00:17,046 --> 00:00:19,920
‫how much and how fast they can access them,

9
00:00:19,920 --> 00:00:23,260
‫and which API keys are linked to this usage plan,

10
00:00:23,260 --> 00:00:26,090
‫to identify the clients and meter their access.

11
00:00:26,090 --> 00:00:28,050
‫Then we can also configure throttling limits.

12
00:00:28,050 --> 00:00:31,618
‫So, how fast their users can target our API,

13
00:00:31,618 --> 00:00:34,520
‫and quotas, in case we just wanna say, for example,

14
00:00:34,520 --> 00:00:36,999
‫that only 10,000 requests a month can be done

15
00:00:36,999 --> 00:00:39,810
‫on our API before you need to pay some more.

16
00:00:39,810 --> 00:00:41,800
‫And then we can create API keys.

17
00:00:41,800 --> 00:00:44,730
‫These are just string to distribute to your customers,

18
00:00:44,730 --> 00:00:46,390
‫and they look like this.

19
00:00:46,390 --> 00:00:48,870
‫And these API keys allow your customers

20
00:00:48,870 --> 00:00:51,330
‫to securely use your API gateway,

21
00:00:51,330 --> 00:00:53,330
‫and authenticate their requests.

22
00:00:53,330 --> 00:00:56,220
‫And you can use this in conjunction with the usage plan

23
00:00:56,220 --> 00:00:57,680
‫to control access.

24
00:00:57,680 --> 00:00:59,500
‫And if you enable any throttling limits,

25
00:00:59,500 --> 00:01:02,440
‫it is applied the API key level.

26
00:01:02,440 --> 00:01:06,260
‫Overall, the quota limits is the overall number of requests.

27
00:01:06,260 --> 00:01:08,700
‫So, by using the usage plan and the API keys,

28
00:01:08,700 --> 00:01:10,010
‫as we'll see in the hand-on,

29
00:01:10,010 --> 00:01:12,870
‫we're able to really monitor,

30
00:01:12,870 --> 00:01:16,600
‫offer our API, and limit it, for our customers.

31
00:01:16,600 --> 00:01:19,150
‫So what's the order in which you create an API key

32
00:01:19,150 --> 00:01:20,360
‫and a usage plan?

33
00:01:20,360 --> 00:01:21,560
‫So, in order to configure a usage plan,

34
00:01:21,560 --> 00:01:22,848
‫you need to remember it.

35
00:01:22,848 --> 00:01:25,340
‫You need to first create one or more API,

36
00:01:25,340 --> 00:01:28,360
‫and then configure the methods that will require an API key,

37
00:01:28,360 --> 00:01:31,840
‫and then deploy the API to your stages.

38
00:01:31,840 --> 00:01:34,550
‫Then you would generate or import API keys,

39
00:01:34,550 --> 00:01:36,194
‫to distribute to application developers.

40
00:01:36,194 --> 00:01:39,440
‫So they're your customers who will be using your API.

41
00:01:39,440 --> 00:01:41,290
‫And then you create a usage plan,

42
00:01:41,290 --> 00:01:44,150
‫with the desired throttle and quota limits.

43
00:01:44,150 --> 00:01:47,309
‫And finally, you need to associate the API stages

44
00:01:47,309 --> 00:01:50,220
‫and API keys with the usage plan.

45
00:01:50,220 --> 00:01:52,530
‫And that's what we'll do in this lecture.

46
00:01:52,530 --> 00:01:54,200
‫And the last step, if you forget it,

47
00:01:54,200 --> 00:01:55,730
‫then things will not work.

48
00:01:55,730 --> 00:01:59,610
‫Finally, the callers of the API must supply an API key,

49
00:01:59,610 --> 00:02:03,370
‫in the x-API-key header requests into the API.

50
00:02:03,370 --> 00:02:05,650
‫So to make it very clear, let's go into the hands-on

51
00:02:05,650 --> 00:02:08,760
‫and practice the usage plans and the API keys.

52
00:02:08,760 --> 00:02:10,850
‫So, let's go ahead and create our method

53
00:02:10,850 --> 00:02:13,040
‫that is going to be controlled by an API key.

54
00:02:13,040 --> 00:02:14,930
‫So I'm going to create a new resource,

55
00:02:14,930 --> 00:02:17,420
‫call it API key for this demo,

56
00:02:17,420 --> 00:02:19,310
‫and then create the resource.

57
00:02:19,310 --> 00:02:21,900
‫Then underneath, I will create a method,

58
00:02:21,900 --> 00:02:24,930
‫and this method is going to be a GET to make things simple.

59
00:02:24,930 --> 00:02:27,240
‫And then this method is going to be a Mock,

60
00:02:27,240 --> 00:02:28,870
‫to make things even more simple,

61
00:02:28,870 --> 00:02:31,430
‫so we don't need to integrate with any back-end.

62
00:02:31,430 --> 00:02:32,660
‫I'll press save.

63
00:02:32,660 --> 00:02:34,730
‫And if you wanna see what Mock does,

64
00:02:34,730 --> 00:02:37,137
‫you can just test it, and then press test,

65
00:02:37,137 --> 00:02:41,140
‫and it returns no data, but at least it says yes, it works.

66
00:02:41,140 --> 00:02:43,330
‫So back into the API execution,

67
00:02:43,330 --> 00:02:45,370
‫I can set a method request.

68
00:02:45,370 --> 00:02:48,850
‫And in here, I can set that my API key is required.

69
00:02:48,850 --> 00:02:50,520
‫Yes, so true.

70
00:02:50,520 --> 00:02:54,010
‫So now in this method, I need an API key to access it,

71
00:02:54,010 --> 00:02:55,570
‫otherwise, things will not work.

72
00:02:55,570 --> 00:02:59,160
‫So next, let's define usage plans, and API keys.

73
00:02:59,160 --> 00:03:01,040
‫So I'm going to create an usage plan

74
00:03:01,040 --> 00:03:02,280
‫from the left-hand side,

75
00:03:02,280 --> 00:03:04,385
‫I'll call it demo plan.

76
00:03:04,385 --> 00:03:07,993
‫And in here, I can enable both throttling and quotas.

77
00:03:07,993 --> 00:03:10,194
‫So throttling is saying how many requests per second,

78
00:03:10,194 --> 00:03:13,480
‫I want to get maximum, so 10, maybe.

79
00:03:13,480 --> 00:03:15,420
‫And the burst of request, is how much

80
00:03:15,420 --> 00:03:17,260
‫I'm allowing my customers to go over it,

81
00:03:17,260 --> 00:03:19,970
‫just in case they have a few more bursting requests.

82
00:03:19,970 --> 00:03:20,949
‫So maybe five.

83
00:03:20,949 --> 00:03:22,870
‫Then do i want to enable a quota?

84
00:03:22,870 --> 00:03:23,900
‫And I wanna say yes.

85
00:03:23,900 --> 00:03:26,540
‫You cannot do more than 10,000 requests per month,

86
00:03:26,540 --> 00:03:28,370
‫otherwise, you would pay more.

87
00:03:28,370 --> 00:03:29,940
‫So I'll click on next,

88
00:03:29,940 --> 00:03:32,000
‫and here is my usage plan.

89
00:03:32,000 --> 00:03:34,970
‫But currently, it's not associated with any stages.

90
00:03:34,970 --> 00:03:36,810
‫So I can associate it with a stage.

91
00:03:36,810 --> 00:03:41,070
‫So with this API, and then the stage is going to be prod.

92
00:03:41,070 --> 00:03:43,640
‫Now note we haven't deployed our new resources to prod,

93
00:03:43,640 --> 00:03:45,360
‫so this is not going to be active.

94
00:03:45,360 --> 00:03:47,810
‫So I'll say yes, here we go.

95
00:03:47,810 --> 00:03:49,520
‫And, this is associated with prod.

96
00:03:49,520 --> 00:03:51,070
‫No methods have been configured,

97
00:03:51,070 --> 00:03:52,630
‫so we can configure a method throttling

98
00:03:52,630 --> 00:03:56,350
‫but we'll do this once we go ahead and deploy our API.

99
00:03:56,350 --> 00:03:58,010
‫So, I'll click on next,

100
00:03:58,010 --> 00:04:01,517
‫and then we need to add API keys to the usage plan.

101
00:04:01,517 --> 00:04:03,970
‫So I need to create an API key first,

102
00:04:03,970 --> 00:04:05,230
‫and add it to the usage plan,

103
00:04:05,230 --> 00:04:07,300
‫which I can do from the left-hand side as well.

104
00:04:07,300 --> 00:04:08,730
‫So I'll click on this button,

105
00:04:08,730 --> 00:04:11,070
‫and this API key, so this is my cool customer.

106
00:04:11,070 --> 00:04:13,410
‫So I'll call it cool customer.

107
00:04:13,410 --> 00:04:16,190
‫Under the API key, you can get a custom value,

108
00:04:16,190 --> 00:04:18,270
‫or automatically generate it.

109
00:04:18,270 --> 00:04:19,760
‫So I'll get an auto-generate,

110
00:04:19,760 --> 00:04:21,950
‫and the API gateway will give me a value.

111
00:04:21,950 --> 00:04:23,140
‫And press save.

112
00:04:23,140 --> 00:04:26,980
‫So this cool customer has been added to my usage plan,

113
00:04:26,980 --> 00:04:28,550
‫and then I can click on done.

114
00:04:28,550 --> 00:04:31,160
‫And now we have created our first usage plan.

115
00:04:31,160 --> 00:04:34,210
‫Coz we can see, this is associated with the prod stage,

116
00:04:34,210 --> 00:04:36,830
‫there is the rate, the burst and the quota.

117
00:04:36,830 --> 00:04:41,020
‫And we can go to the API keys and find this API key.

118
00:04:41,020 --> 00:04:42,800
‫So if I do usage,

119
00:04:42,800 --> 00:04:44,960
‫I can see how many times they have been used.

120
00:04:44,960 --> 00:04:47,410
‫So currently nothing, and by extension,

121
00:04:47,410 --> 00:04:51,210
‫I can create an extra extension or request for API key.

122
00:04:51,210 --> 00:04:54,960
‫Okay, if I click on this API key itself,

123
00:04:54,960 --> 00:04:57,950
‫I can see that we are now in the API key panel,

124
00:04:57,950 --> 00:04:59,660
‫and I can show this API key.

125
00:04:59,660 --> 00:05:02,450
‫And this is what I would be sending to my customers,

126
00:05:02,450 --> 00:05:04,650
‫so they can start using my API.

127
00:05:04,650 --> 00:05:07,740
‫So this is great, my API key is now associated

128
00:05:07,740 --> 00:05:10,270
‫with my usage plan, which is extremely important.

129
00:05:10,270 --> 00:05:12,440
‫So now let's go into my API.

130
00:05:12,440 --> 00:05:14,163
‫And I will find my first API.

131
00:05:15,630 --> 00:05:20,280
‫And I will deploy this, I will deploy this API into prod.

132
00:05:20,280 --> 00:05:21,810
‫And by the way, canary is enabled,

133
00:05:21,810 --> 00:05:23,780
‫so I'm just going to disable canaries.

134
00:05:23,780 --> 00:05:25,210
‫So I'll go to prod, and i will go to canary

135
00:05:25,210 --> 00:05:27,670
‫and delete the canary.

136
00:05:27,670 --> 00:05:29,400
‫We don't need it anymore.

137
00:05:29,400 --> 00:05:33,438
‫And back into my resources, action, deploy API,

138
00:05:33,438 --> 00:05:34,900
‫into prod,

139
00:05:34,900 --> 00:05:36,150
‫and deploy.

140
00:05:36,150 --> 00:05:39,330
‫So now, my prod has a

141
00:05:39,330 --> 00:05:41,520
‫API key routes, okay,

142
00:05:41,520 --> 00:05:44,770
‫and this needs an API key to work.

143
00:05:44,770 --> 00:05:47,900
‫So this is the API key we used from our customer.

144
00:05:47,900 --> 00:05:49,540
‫So back into our usage plan.

145
00:05:49,540 --> 00:05:50,870
‫If we go to the demo plan,

146
00:05:50,870 --> 00:05:53,950
‫we can configure method throttling, if we wanted to,

147
00:05:53,950 --> 00:05:57,600
‫and say okay, on top of it, this API key method,

148
00:05:57,600 --> 00:06:00,310
‫the GET, you can only do five requests per second,

149
00:06:00,310 --> 00:06:01,620
‫and a burst of two,

150
00:06:01,620 --> 00:06:05,490
‫so we're really able to pry it out and test it.

151
00:06:05,490 --> 00:06:06,920
‫There is a concept of a marketplace,

152
00:06:06,920 --> 00:06:09,000
‫where you can sell your API keys directly

153
00:06:09,000 --> 00:06:12,690
‫onto the AWS marketplace, but for now, this is out of scope.

154
00:06:12,690 --> 00:06:15,220
‫Okay, so now if we go to the stages,

155
00:06:15,220 --> 00:06:16,740
‫and go to prod,

156
00:06:16,740 --> 00:06:20,052
‫and we go to this API key method,

157
00:06:20,052 --> 00:06:22,180
‫and we just click on it,

158
00:06:22,180 --> 00:06:24,130
‫as you can see, we see message forbidden.

159
00:06:24,130 --> 00:06:27,180
‫This is because my API key has not been passed,

160
00:06:27,180 --> 00:06:29,290
‫and therefore everything is not working.

161
00:06:29,290 --> 00:06:31,770
‫So now we have to make this request work,

162
00:06:31,770 --> 00:06:32,720
‫because we're forbidden.

163
00:06:32,720 --> 00:06:33,553
‫So as you can see now,

164
00:06:33,553 --> 00:06:35,400
‫I've opened something called Insomnia.

165
00:06:35,400 --> 00:06:38,580
‫So Insomnia is a desktop client for REST,

166
00:06:38,580 --> 00:06:40,030
‫So if you go to Insomnia or REST,

167
00:06:40,030 --> 00:06:41,870
‫I would highly recommend downloading this.

168
00:06:41,870 --> 00:06:44,810
‫This is free, and so this is using,

169
00:06:44,810 --> 00:06:46,900
‫this is going to be a REST client for my desktop,

170
00:06:46,900 --> 00:06:49,620
‫to make API calls onto this API,

171
00:06:49,620 --> 00:06:51,940
‫but I can supply now some headers.

172
00:06:51,940 --> 00:06:55,100
‫So, I'm going to create a new request,

173
00:06:55,100 --> 00:06:58,590
‫and I'll call it API key example.

174
00:06:58,590 --> 00:07:00,000
‫And it's going to be a GET,

175
00:07:00,000 --> 00:07:03,030
‫and on top, I can enter the URL that I had right here.

176
00:07:03,030 --> 00:07:04,710
‫So if I click on send, again,

177
00:07:04,710 --> 00:07:07,460
‫I'm getting the message forbidden, just like we have.

178
00:07:07,460 --> 00:07:09,200
‫But now to use the API keys,

179
00:07:09,200 --> 00:07:11,210
‫I can go ahead and specify

180
00:07:11,210 --> 00:07:14,170
‫the API key header into my request.

181
00:07:14,170 --> 00:07:16,490
‫So for this, I first need to retrieve my API key

182
00:07:16,490 --> 00:07:17,940
‫for my cool customer.

183
00:07:17,940 --> 00:07:19,880
‫And here is the value,

184
00:07:19,880 --> 00:07:21,660
‫and then in Insomnia,

185
00:07:21,660 --> 00:07:22,493
‫on the right-hand side,

186
00:07:22,493 --> 00:07:27,080
‫I'm going to add a header called x-API-key,

187
00:07:27,080 --> 00:07:30,380
‫and the value of which is the API key of my customer.

188
00:07:30,380 --> 00:07:32,450
‫So I can pass in the value in here,

189
00:07:32,450 --> 00:07:35,160
‫and now that I've created a header,

190
00:07:35,160 --> 00:07:36,110
‫this is a request header

191
00:07:36,110 --> 00:07:38,040
‫with the right value of the API key.

192
00:07:38,040 --> 00:07:40,540
‫If I send it, I'm getting a 200,

193
00:07:40,540 --> 00:07:42,440
‫and my request is now working.

194
00:07:42,440 --> 00:07:44,220
‫So this is a cool demo, because now,

195
00:07:44,220 --> 00:07:46,030
‫this API key was used once.

196
00:07:46,030 --> 00:07:48,400
‫And so if we go to our usage plans,

197
00:07:48,400 --> 00:07:51,740
‫and go to our demo plan, and look at the metering,

198
00:07:51,740 --> 00:07:54,810
‫so I'm going to API keys, and then click on usage,

199
00:07:54,810 --> 00:07:58,940
‫as we can see, and its going to take a while to reflect.

200
00:07:58,940 --> 00:08:01,150
‫So it says zero requests but very, very soon,

201
00:08:01,150 --> 00:08:02,530
‫it should say one request,

202
00:08:02,530 --> 00:08:05,240
‫when it is being registered by my API gateway.

203
00:08:05,240 --> 00:08:07,890
‫So that would be the whole idea behind API keys.

204
00:08:07,890 --> 00:08:09,410
‫Now I can see how many requests are made,

205
00:08:09,410 --> 00:08:11,570
‫I can bill my customer for these requests,

206
00:08:11,570 --> 00:08:14,180
‫and I can secure my API's with API keys.

207
00:08:14,180 --> 00:08:15,013
‫So that's it.

208
00:08:15,013 --> 00:08:17,900
‫I hope you liked it and I will see you in the next lecture.