We have a situation where a proxy will need to support both key or oauth for authentication. Not a great situation, we realize. For the external vendor utilizing key auth, they will have a restricted set of resources available to them. We still will be using rate limiting and were wondering if there was a way to have only one set of quota and spike arrest policies. Generally, we've used flow variables that were associated with the type of auth policy, but as there's two different authentication schemes, does this mean that we will have to use alternate rate limit policies for the two scenarios? I saw the warnings against using the vars which I would be inclined to leverage:

Note: Apigee recommends that you do not use the following variables for the quota identifier:

• developer.id
• developer.app.id
• company.id

The reason for avoiding the use of these variables is that these IDs are generated internally by Apigee and are not guaranteed to stay the same over time. Apigee could change the format or length of these IDs, for example.