Building a Monetized API (Part 1 of 4) — Stable Diffusion…
    Neura MarketNeura Market/Stable Diffusion
    ChatGPTChatGPTClaudeClaudeGeminiGeminiCursorCursorGrokGrokPerplexityPerplexityStable DiffusionStable Diffusion
    DeepSeekDeepSeekCoPilotCoPilotMidjourneyMidjourney
    View All Directories
    OverviewPromptsBlogVideosGuidesCoursesCommunityModelsLoRAsComfyUI WorkflowsTrending
    Stable DiffusionBlogBuilding a Monetized API (Part 1 of 4)
    Back to Blog
    Building a Monetized API (Part 1 of 4)
    api

    Building a Monetized API (Part 1 of 4)

    Martyn Davies April 13, 2026
    0 views

    Before you can charge for your API, you need the gateway set up right. Set up origin auth, consumer isolation, and rate limiting as the foundation for adding monetization.


    title: Building a Monetized API (Part 1 of 4) series: Building a Monetized API published: true description: "Before you can charge for your API, you need the gateway set up right. Set up origin auth, consumer isolation, and rate limiting as the foundation for adding monetization." tags: api, monetization, apigateway cover_image: https://zuplo.com/og?text=Building%20a%20Monetized%20API%2C%20Part%201%3A%20The%20Gateway

    Use a ratio of 100:42 for best results.

    published_at: 2026-04-13 12:43 +0000 canonical_url: https://zuplo.com/blog/building-a-monetized-api-part-1

    This is Part 1 of a four-part series on building a fully monetized API with Zuplo, from gateway to self-serve API keys, usage-based plans, MCP server, and developer portal.

    Before any of that works, you need the gateway set up right. That's what we're covering here.

    {% embed https://www.youtube.com/watch?v=FMcYofeBoxE %}

    What we're building

    The API behind all of this is a changelog and release notes service. Teams can create projects, publish changelog entries into a database, and query them with full-text search, filtering, and pagination. Think of it as a storage layer for release notes that you can query programmatically.

    It's built with Hono and TypeScript, deployed on Vercel with a Supabase backend. Nothing exotic, but it has enough endpoints (12) and enough complexity (project scoping, search, pagination) to make the monetization and MCP parts of this series actually interesting. A to-do list API wouldn't cut it here.

    The Changeloggle developer portal showing the API reference with all endpoints

    This is a four-part series. After the gateway setup in this post, we'll cover adding monetization, meters, and plans (Part 2), an MCP server with plan-gated access (Part 3), and developer portal polish (Part 4).

    Step 1: Importing the OpenAPI spec

    Starting from a blank Zuplo project, the fastest way to get going is to import the OpenAPI specification that describes the existing API. This pulls in all 12 endpoints with their verbs, paths, and schema definitions.

    After the import, every route's request handler points at api.example.com/v1, which is the placeholder from the spec. We need to point these at the real API.

    The cleanest way to do this is with an environment variable. In Zuplo's settings, create a new variable called BASE_URL and set it to the actual API URL. Apply it across all environments (working copy, staging, production).

    Then update the service URL in any one route to use $env(BASE_URL). Because Zuplo's route designer shares the service configuration across routes, this single change applies to all 12 endpoints.

    💡 Environment Variables — Learn more about managing configuration across environments in Zuplo.

    Step 2: Origin authentication with a shared secret

    Here's where the first important architectural decision comes in. The destination Changeloggle API (hosted on Vercel) is publicly accessible. Anyone who discovers the URL could bypass the gateway entirely. We need to lock that down.

    The approach: a shared secret. The Changeloggle API checks for an x-gateway-secret header on every incoming request. If it's missing or wrong, the request gets a 401. Only Zuplo knows the secret, so only Zuplo can talk to the origin.

    Shared secret flow: the API gateway forwards requests with the secret, while direct requests without it are rejected

    To implement this, add GATEWAY_SECRET as a secret environment variable in Zuplo's settings. Secrets are encrypted and not visible in the dashboard after creation. We'll wire this into a custom policy alongside consumer isolation in the next step.

    Step 3: Consumer isolation via API key subjects

    With the origin locked down, the next step is making sure every request carries the identity of the consumer making it.

    Every API key in Zuplo has a "subject", which is a unique identifier for the consumer. When a request comes in with a valid API key, request.user.sub contains that subject. By forwarding it to the origin as an x-consumer-id header, the backend can scope all data operations to that specific consumer.

    Consumer isolation: each API key's subject is forwarded as x-consumer-id, scoping data to individual customers in Supabase

    This means each API key can only create and access its own projects and changelog entries. There's no way for one consumer to read another consumer's data, because the origin uses that consumer ID as a partition key for all database queries.

    To implement both the shared secret and consumer isolation, first add the built-in API Key Authentication policy to every route. This handles key validation and populates request.user with the consumer's identity. Then create a custom inbound policy that runs after it. In Zuplo, create a new module called set-request-headers:

    import { ZuploContext, ZuploRequest } from "@zuplo/runtime";
    
    export default async function (request: ZuploRequest, context: ZuploContext) {
      request.headers.set("x-gateway-secret", context.env.GATEWAY_SECRET);
      request.headers.set("x-consumer-id", request.user.sub);
    
      return request;
    }
    

    The API key policy upstream has already validated the request and populated request.user, so this policy just sets two headers on the outgoing request to the origin: the gateway secret for authentication, and the consumer ID for isolation.

    Why does this matter for monetization? When we add metering and plans in Part 2, Zuplo's monetization system will handle API key creation and consumer identity automatically. The request.user.sub value will still be there, and it will still flow through this same policy to the origin. We won't need to change this code at all.

    💡 API Key Authentication — Details on API key subjects, metadata, and key management in Zuplo.

    Step 4: Rate limiting

    Add a rate limiting inbound policy set to 100 requests per minute, keyed by IP address. Apply it to all routes, and make sure it executes before the header-setting policy so abusive traffic is rejected as cheaply as possible.

    This is distinct from the request limits that monetization adds in Part 2.

    Request limits are business logic: a free tier gets 20 requests/month, a paid tier gets 50,000. Rate limiting is infrastructure protection: no single IP should be able to send 1,000 requests in a minute regardless of their plan. You need both.

    Step 5: Testing end to end

    To verify the full chain works, we need a temporary API key. In Zuplo's API key service, create a consumer with a UUID as the subject. Generate a key for that consumer.

    Then make a test request to the create project endpoint with the API key as a Bearer token:

    curl -X POST https://your-gateway.zuplo.dev/v1/projects \
      -H "Authorization: Bearer zpka_your_api_key" \
      -H "Content-Type: application/json" \
      -d '{"name": "My Project", "description": "A test project", "url": "https://example.com"}'
    

    A 201 response confirms the full chain is working: Zuplo received the request, validated the API key, set the gateway secret and consumer ID headers, forwarded it to the Changeloggle API on Vercel, and the origin accepted it.

    Note: this API key setup is temporary. When we add monetization in the next post, API key creation and management moves to the self-serve developer portal. Consumers will sign up, choose a plan, and generate their own keys. The manual key service configuration goes away.

    What we built in Part 1

    At this point, the gateway is set up with:

    • All 12 endpoints imported from the OpenAPI spec
    • Environment-based upstream URL configuration
    • Origin authentication via a shared secret
    • Consumer isolation via API key subjects forwarded as headers
    • IP-based rate limiting as an abuse backstop

    Every one of these decisions was made with monetization in mind. The shared secret locks down the origin. The consumer ID enables per-customer data isolation. The rate limiting sits in a position where it can coexist with per-plan metering. And none of this needs to be rewritten when we add billing.

    Next up: Adding Monetization

    In Part 2, we'll add metering, create subscription plans (free, starter, and pro), configure the developer portal's pricing page, and test the full flow of a user signing up, choosing a plan, and making authenticated requests with usage tracking.

    • Configure metering on API requests
    • Create subscription plans (free, starter, pro)
    • Connect Stripe for checkout and billing
    • Set up the developer portal pricing page
    • Test the full sign-up and usage tracking flow

    The Changeloggle pricing page with Free, Starter, and Pro plans

    Tags

    apimonetizationapigateway

    Comments

    More Blog

    View all
    Context bankruptcy: The case for strategic forgetting for AI Agentsai

    Context bankruptcy: The case for strategic forgetting for AI Agents

    Most of us have seen a coding agent fail to complete a task we know it can do. We just don't...

    J
    James O'Reilly
    Parallel Compliance Engine: Drive-to-Sheets Multi-Agent Orchestrationgooglecloud

    Parallel Compliance Engine: Drive-to-Sheets Multi-Agent Orchestration

    When building Generative AI applications, developers often encounter a massive bottleneck: sequential...

    A
    Aryan Irani
    Is It Ethical to Post and Ask About Circuits on Dev.to?discuss

    Is It Ethical to Post and Ask About Circuits on Dev.to?

    I’ve been thinking about sharing some electronic circuit posts on Dev.to — small circuits, DIY...

    C
    codebunny20
    The One-Click Exporter: AI Studio Antigravity, Probed to Its Limitsagents

    The One-Click Exporter: AI Studio Antigravity, Probed to Its Limits

    What nobody tells you about exporting your multi-agent prototype to a local workspace. Every...

    L
    leslysandra
    Guarding the till while autonomous data agents do the diggingagenticarchitect

    Guarding the till while autonomous data agents do the digging

    Autonomous agents are genuinely good at answering messy business questions. Give one an LLM and a set...

    S
    Sireesha Pulipati
    Return on Attention: Why AI Code Reviews Are Wearing Us Outai

    Return on Attention: Why AI Code Reviews Are Wearing Us Out

    PR volume went up, ticket quality didn't, and the gap got filled with LLMs on both sides of the review: bots reviewing, bots replying, bots occasionally arguing with bots about priorities that only existed in a teammate's head. Our CEO named the actual problem, and it's bigger than code review.

    C
    christine

    Stay up to date

    Get the latest Stable Diffusion prompts, rules, and resources delivered to your inbox weekly.

    Neura Market LogoNeura Market

    Discover the best AI prompts, plugins, and resources for Stable Diffusion and more.

    Content Types

    • Rules
    • Prompts
    • MCPs
    • Agents
    • Guides

    Platforms

    • ChatGPT Directory
    • Claude Directory
    • Gemini Directory
    • Cursor Directory
    • Grok Directory
    • Perplexity Directory
    • DeepSeek Directory
    • CoPilot Directory
    • Stable Diffusion Directory
    • Midjourney Directory
    • All Directories

    Resources

    • Blog
    • Documentation
    • Help Center
    • Marketplace

    Legal

    • Privacy Policy
    • Terms of Service

    © 2026 Neura Market. All rights reserved.

    |

    Not affiliated with any AI platform vendors.

    Ready-made automations for this

    Workflows from the Neura Market marketplace related to this Stable Diffusion resource

    • Webhook Creation and Scheduling for Media Content Monetizationn8n · $14.99 · Related topic
    • Automated Webhook Creation for Content Monetizationn8n · $9.99 · Related topic
    • AI-Powered Autonomous Research Workflow for Content Monetizationn8n · $4.52 · Related topic
    • Automate Security Incident Response: Sheets, Email & EDR Isolationn8n · $24.99 · Related topic
    Browse all workflows