`APIs` entity refinements

[mathieuancelin]

The API entity has become the central abstraction for exposing and governing services in Otoroshi. While it already covers routing, security and exposure concerns, real-world usage has revealed limitations around lifecycle management, access control, subscriptions, and overall configuration clarity.

This issue aims to refine the API entity to make it a first-class product surface for API governance, developer onboarding, and platform monetization, while simplifying configuration and improving consistency.

Goals

• simplify and clarify API configuration and lifecycle behavior
• improve access control and subscription workflows
• introduce plans and pricing capabilities
• support analytics, ownership and governance metadata
• improve visibility, validation and extensibility mechanisms
• streamline the developer and operator experience

Scope

This umbrella issue tracks improvements including:

Configuration & lifecycle

• refactor draft vs production modes
• remove legacy access mode
• streamline API configuration
• support concurrent API versions

Security & compliance

• mandatory flags for client certificate plugins
• mandatory flag for OIDC JWT verification

Plans & subscriptions

• introduce plans in the API entity
• support plan subscription and edition
• define plan access kinds
• support subscription transfer

Monetization

• pricing configuration in plans
• pricing references in subscriptions

Visibility & validation

• extended visibility levels
• configurable validation strategies

Governance & extensibility

• owner references for APIs
• hooks configuration
• analytics support

Outcome

These refinements evolve Otoroshi from an API exposure tool into a more complete API platform layer, enabling clearer governance, safer exposure policies, flexible consumption models, and improved developer experience.