The eight clauses that matter
API scope + use case
What endpoints the licensee may call, what data may be retrieved, what use cases are permitted, and what is expressly prohibited (resale, scraping, training AI models).
Rate limits + quotas
Per-second / per-day / per-month call ceilings and the consequences of exceeding them (throttling, surcharges, suspension).
Authentication + key security
API key issuance, rotation, revocation, and the licensee's obligation to secure keys. Liability for breach attributable to compromised keys.
Service levels + uptime
API-specific SLA, error-rate guarantees, planned-maintenance windows, status-page commitments and remedies for breach.
Data handling + POPIA
Where personal information passes through the API, operator-agreement terms under section 21 POPIA; cross-border treatment under section 72 if data leaves SA.
IP allocation
Provider retains the underlying platform IP; licensee owns its own data and any derivative works it builds on top of API outputs (subject to defined carve-outs).
Versioning + deprecation
Provider's right to evolve the API, mandatory notice periods for breaking changes, support windows for deprecated versions.
Term + termination
Subscription model, termination for misuse, wind-down access, and key-revocation procedure on exit.
Frequently asked
What is the difference between an API licence agreement and a SaaS subscription?
A SaaS subscription grants access to a user-facing application; an API licence grants programmatic access to underlying functionality or data, typically consumed by another application or a developer's product. The clauses are similar but API licences add API-specific elements: rate limits, authentication mechanics, versioning policy, and prohibitions on re-distribution of API responses.
Can I prohibit licensees from using my API to train AI models?
Yes — and increasingly providers do, given the commercial sensitivity of training-data access. The acceptable-use clause should expressly prohibit using API responses to train machine-learning models without separate written consent. Without an express prohibition, the implied licence to use API responses for the licensee's ordinary business may extend to training use.
How are SLA obligations different for APIs versus user-facing SaaS?
API SLAs typically specify: (i) availability of the API endpoint (95–99.9% depending on tier); (ii) maximum acceptable error rate; (iii) maximum acceptable latency at defined percentiles (e.g. p95 < 200ms); (iv) rate-limit fairness. Remedies are usually service credits keyed to monthly API spend or the option to escalate to a higher availability tier.
What does an API licence look like under POPIA?
If the API processes personal information on behalf of the licensee, the API provider is an operator and a section 21 POPIA operator agreement is mandatory. The agreement should cover scope of processing, security measures (s 19), breach notification, sub-processors, audit rights, and cross-border transfers (s 72). Many SA API providers embed these terms in a Data Processing Addendum to the master licence.
How long should the deprecation notice be for an API version?
Commercial practice ranges 6 months for minor deprecations to 12-24 months for major versions. The longer the notice, the more attractive the API is to enterprise integrators; the shorter the notice, the easier it is for the provider to evolve. Contractually-defined notice periods are increasingly demanded by enterprise licensees as a condition of integration.
What is the typical cost of bespoke API licence drafting in SA?
From R12,000 for a single-direction bilateral licence; R15,000–R20,000 for a multi-tier (free / startup / enterprise) framework where the licence forms part of a published developer-tier matrix. Add R5,000–R8,000 for a separately-drafted DPA if personal information is processed.