API Licence Agreement
Template — South Africa

Defines the provisioning of API credentials (API keys, OAuth 2.0 client credentials, JWT tokens), the authentication flows supported, sandbox versus production environment access, credential rotation policies, and the API consumer's obligation to secure their credentials. Specifies that API keys are confidential and may not be shared, embedded in client-side code, or used in a manner that exposes them to unauthorised parties. Addresses multi-factor authentication requirements for administrative API operations.

Establishes requests-per-second, requests-per-minute, and requests-per-day limits for each API tier, burst allowances for traffic spikes, throttling behaviour when limits are exceeded (HTTP 429 responses with Retry-After headers), quota monitoring dashboards, and overage handling — whether excess calls are blocked, throttled, or billed at a premium rate. This section prevents infrastructure abuse while providing predictable capacity for legitimate consumers.

Defines the scope of the API licence grant — typically non-exclusive, non-transferable, and revocable. Lists prohibited uses including white-labelling the API output without authorisation, using the API to build a competing service, data scraping beyond authorised endpoints, redistribution of API data to third parties, circumvention of rate limits or security mechanisms, and any use that violates South African law including the Cybercrimes Act 19 of 2020. The permitted use definition is critical for intellectual property protection under the Copyright Act.

Addresses API data ownership, caching policies (whether the consumer may cache API responses and for how long), data retention obligations, POPIA compliance when personal information is transmitted through the API — including the identification of responsible party and operator roles under Section 1, security measures under Section 19, and cross-border transfer safeguards under Section 72 where API calls cross international borders. Specifies data deletion obligations on termination of the agreement.

Sets out the API versioning strategy (URI versioning, header versioning, or query parameter versioning), minimum support periods for deprecated versions (typically 12 months from deprecation announcement), migration timelines and tooling the provider will make available, breaking versus non-breaking change policies, notification requirements through developer communications and API response headers (e.g., Sunset and Deprecation headers), and backwards compatibility commitments for minor version releases.

Defines API uptime commitments (typically 99.9% for production APIs), the measurement methodology, planned maintenance windows and advance notification requirements, status page and real-time monitoring obligations, incident notification procedures, and service credit mechanics for periods when the API fails to meet availability targets. Distinguishes between total outage and degraded performance, and specifies the impact of each on SLA calculations.

Establishes the pricing model — whether free tier with limited calls, per-call or per-transaction fees, monthly subscription tiers, or volume-based pricing with committed usage discounts. Covers billing cycles, invoicing procedures, payment terms (typically 30 days), late payment consequences, and the treatment of VAT at 15% under the Value-Added Tax Act 89 of 1991. For usage-based pricing, specifies how API calls are counted and what constitutes a billable call versus a non-billable call (e.g., authentication errors).

Confirms that the API, its documentation, the underlying algorithms, and all associated intellectual property remain the exclusive property of the provider, protected as literary works under Section 1 of the Copyright Act 98 of 1978. Defines any required attribution or branding guidelines, "Powered By" badge requirements for consumer-facing applications, trademark usage rules, and the consumer's obligation not to reverse engineer, decompile, or create derivative works from the API — activities that would constitute copyright infringement under Sections 6 and 7 of the Copyright Act.

Mutual confidentiality obligations protecting API credentials, technical documentation, pricing terms, and business information exchanged in connection with the API programme. Specifies the API consumer's obligation to implement reasonable security measures to protect data received through the API, to notify the provider promptly of any security breach involving API credentials, and to cooperate with incident response procedures.

Caps the provider's aggregate liability at the total fees paid by the consumer in the 12 months preceding the claim, excludes indirect and consequential damages (subject to CPA limitations where applicable), and establishes mutual indemnification obligations — the provider indemnifies for IP infringement claims, and the consumer indemnifies for misuse of the API, violation of the acceptable use terms, and claims arising from the consumer's application or service that integrates the API.

Defines the agreement term, renewal provisions, termination for convenience with notice, termination for cause (material breach, insolvency, violation of acceptable use terms), the provider's right to suspend API access immediately for security threats or persistent abuse, and post-termination obligations including cessation of API calls, deletion of cached data, and removal of API-derived content from the consumer's applications.

Specifies South African law as the governing law and establishes a dispute resolution process beginning with negotiation between designated representatives, escalating to mediation under the Arbitration Foundation of Southern Africa (AFSA) rules, and proceeding to binding arbitration if mediation fails. Includes provisions for urgent interim relief through the High Court to protect intellectual property or prevent data breaches.