FakeAmazon Demo

Middleware Mode — PayFence validates tokens in-app

Big Token Quota (Steps 2, 5, 6)Not loaded

Tiny Token Quota (Step 7 Burn)Not loaded

Health Check

Pending

GET /healthz -- confirms the FakeAmazon server is running. No authentication required.

Product Search (with token)

Pending

GET /v1/products/search with a valid PayFence token. The middleware validates the token, deducts quota, and returns products.

No Token = 402

Pending

Same endpoint, but without a token. The middleware returns 402 Payment Required with a checkout URL.

View Cart (Free)

Pending

GET /v1/carts/demo-cart -- a free endpoint that does not require a token or deduct quota.

Add to Cart (5 units)

Pending

POST to add an item to cart. Requires a token, costs 5 quota units.

Checkout (20 units)

Pending

POST to create an order. The most expensive operation, costing 20 quota units.

Quota Exhaustion (402)

Pending

Switch to a TINY token (5 units). Make requests until quota hits zero and we get 402 with checkout URL.

What This Demonstrates

Middleware Mode means FakeAmazon integrates the PayFence SDK directly into its application code. On each request, the middleware validates the token, checks the remaining quota, and deducts the appropriate amount.

Free vs. paid endpoints -- some endpoints (like viewing a cart) are free and require no token. Others (like search, add-to-cart, checkout) require authentication and consume quota.

Tiered pricing -- different operations cost different amounts. A simple search might cost 1 unit, while a checkout costs 20. This lets API providers price based on the value of each operation.

Graceful degradation -- when quota runs out, the API does not crash. It returns a clear 402 response with a checkout URL, enabling the consumer to self-serve and purchase more credits.

Proxy Mode vs. Middleware Mode

Aspect	Proxy (FakeExpedia)	Middleware (FakeAmazon)
Integration	Zero code changes -- gateway sits in front	SDK added to app code
Traffic flow	Client → Gateway → Origin	Client → App (with middleware)
Latency	Small hop through gateway	Direct, in-process validation
Origin protection	Gateway enforces origin lockdown	App handles its own auth
Best for	Existing APIs, quick adoption	Custom logic, fine-grained control