Strategies for preventing abuse of API SaaS free-tier resources?

1 points by derefr ↗ HN
I run an API SaaS business, where most use-cases you'd use our API for involve making a fairly-large number of API requests.

For business reasons, we don't yet have any paid plans (nor any of the infrastructure to support paid plans); so right now we're only giving our users access to a rate-limited free plan.

For the vast majority of our users, they can build and scale their use-case while staying well under the rate limits our free plan imposes.

But some of our users find our rate-limits constraining, and try to evade them by registering additional accounts, to then use multiple API keys in tandem to make their requests. (These users' apps are usually badly-architected, such that they're making 10-100x the number of requests they should be to achieve their use-case.)

Deactivating these users' "alt" accounts as we find them — or even banning these users altogether — doesn't help much, as these users just move on to using increasingly "stealthy" account registrations — using real-seeming email providers; registering through VPNs to disguise their traffic origin; splitting their requests by microservice such that their backend IPs/request-signatures never correlate; etc.

We could force users to go through a KYC/AML-like identity-verification process to register, but this would be a pretty massive hurdle to impose in the way of signing up for a SaaS product — and not one our users would expect, given that we're not a finance or gambling app.

Is there any other way?

Have you scaled an API SaaS with a free-tier plan and dealt with this problem? If so, what did you do?

1 comment

[ 3.7 ms ] story [ 21.8 ms ] thread
One of the things I've been telling my team while developing our platform is that we have to build a product that was so good that people would want to steal it, and the current employees would harass us to keep access to if they moved on (it was an internal platform at the time).

Your users are pulling your product out of your hands. Instead of seeing a problem here, I'd advise to set up meetings with them. Talk with them. Understand the problem they're trying to solve.

What business reasons drive you not to have paid plans?