Strategies for preventing abuse of API SaaS free-tier resources?
For business reasons, we don't yet have any paid plans (nor any of the infrastructure to support paid plans); so right now we're only giving our users access to a rate-limited free plan.
For the vast majority of our users, they can build and scale their use-case while staying well under the rate limits our free plan imposes.
But some of our users find our rate-limits constraining, and try to evade them by registering additional accounts, to then use multiple API keys in tandem to make their requests. (These users' apps are usually badly-architected, such that they're making 10-100x the number of requests they should be to achieve their use-case.)
Deactivating these users' "alt" accounts as we find them — or even banning these users altogether — doesn't help much, as these users just move on to using increasingly "stealthy" account registrations — using real-seeming email providers; registering through VPNs to disguise their traffic origin; splitting their requests by microservice such that their backend IPs/request-signatures never correlate; etc.
We could force users to go through a KYC/AML-like identity-verification process to register, but this would be a pretty massive hurdle to impose in the way of signing up for a SaaS product — and not one our users would expect, given that we're not a finance or gambling app.
Is there any other way?
Have you scaled an API SaaS with a free-tier plan and dealt with this problem? If so, what did you do?
1 comment
[ 3.7 ms ] story [ 21.8 ms ] threadYour users are pulling your product out of your hands. Instead of seeing a problem here, I'd advise to set up meetings with them. Talk with them. Understand the problem they're trying to solve.
What business reasons drive you not to have paid plans?