The UK Open Banking Specifications state:
RTS – Article 31(5)
Account information service providers shall be able to
access information from designated payment accounts and associated
payment transactions held by account servicing payment service providers
for the purposes of performing the account information service in
either of the following circumstances:
(a) whenever the payment service user is actively requesting such information;
(b) where the payment service user is not actively requesting such
information, no more than four times in a 24 hour period, unless a
higher frequency is agreed between the account information service
provider and the account servicing payment service provider, with the
payment service user’s consent.
Although it is difficult to determine what constitutes a PSU
“actively requesting information”, the ASPSP may utilise the FAPI
headers (x-fapi-customer-last-logged-time and
x-fapi-customer-ip-address) to make a determination of whether the PSU
is “actively requesting such information”.
source: https://www.openbanking.org.uk/read-write-apis/account-transaction-api/v1-1-0/
In order to implement this in Apigee you can create a quota policy:
<Quota name="Quota">
<Interval>1</Interval>
<TimeUnit>day</TimeUnit>
<Allow count="4"/>
<Identifier ref="identifier"/>
<Distributed>true</Distributed>
<Synchronous>true</Synchronous>
</Quota>
You can replace the Identifier ref with a variable which holds the TPP identifier concatenated with the user id or account id.
Please the the policy docs here.
You can then create a condition using the FAPI headers, as you desire. Your Proxy Endpoint may contain the following…
<PreFlow>
<Request>
<Step>
<Name>ValidateAccessToken</Name>
</Step>
<Step>
<Name>Quota</Name>
<Condition>request.header.x-fapi-customer-ip-address = NULL </Condition>
</Step>
</Request>
<!-- ... -->
</PreFlow>