Device limit bypass using REST API and c8y_IsDevice fragment

Hello,

I am currently trying to enforce a device limit on our customers’ tenants.

When I set the limit via the Administration UI, it correctly appears in the usage statistics. Additionally, if I try to register a device through the Device Registration page on the tenant, it correctly shows that the device limit has been reached and prevents further registrations.

However, I noticed that if I create a managed object with the fragment "c8y_IsDevice": {} via the REST API, the request completes successfully—even when the limit has already been reached. The created object is also visible as a device in the Device Management.

As far as I understand, devices that are billed to us are defined by the number of managed objects that include this fragment.

So in theory, a customer could create a large number of billable devices via the REST API, bypassing the device limit set on their tenant.

Am I correct in this assumption, and is this the intended behavior?

Thanks in advance!

Hi,
First of all apologies for the lack of clarity in the documentation, we will work on updating this, to make it obvious that the limitation is aimed at the UI only and that the REST API does not check the tenant options. We also recognise this behaviour it not intuitive and will address this at some point in the future.
Regards, Jane.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.