Rate limit by user or key

Rate limit by user or key

For stable and predictable API operation, it is important not only to scale, but also to control the number of requests. We implement flexible limiting, which allows you to set limits based on API keys, user IDs or IP addresses. This protects the system from abuse, overload and gives the opportunity to guarantee SLAs to each client.

How rate limiting works

Approach	What controls
By API key	Limit on the number of requests from one integrator or application
By User ID	Individual limit per user (for example, in a mobile application)
By IP Address	IP Anti-Spam or DDoS
By endpoint/method	Ability to restrict sensitive methods (e.g. search, write)

Settings and functions

Limit support: RPS, RPM, RPH (requests per second/minute/hour)
Sliding window, fixed window, token bucket and leaky bucket algorithms
429 Code Return and Custom Error Message
Auto Timer Unlock
Metrics: number of exceedances, tokens on the edge of the limit, reset frequency

Business benefits

Protection against overloads and DoS attacks
Lower infrastructure costs
Quality control of customer integrations
Identification of abnormal activity and possible vulnerabilities
Ability to allocate VIP users with separate limits

Where especially important

API for financial transactions
Gaming platforms with frequent user activity
E-commerce services with high filtering and search rates
Public APIs and open platform solutions

Rate limiting is the control, safety and quality of the API. We implement point constraints that protect the infrastructure and ensure predictable operation under any load.