For stable and predictable API operation, it is important not only to scale, but also to control the number of requests. We implement a flexible rate limiting that allows you to set limits based on API keys, user IDs or IP addresses. This protects the system from abuse, overload and makes it possible to guarantee SLA to each client.
How rate limiting works
| Approach | What controls |
|---|---|
| By API key | Limit on the number of requests from one integrator or application |
| By User ID | Individual limit per user (e.g. mobile app) |
| By IP Address | IP Spam or DDoS Protection |
| By endpoint/method | Ability to limit sensitive methods (e.g. search, write) |
Settings and functions
Limit support: RPS, RPM, RPH (requests per second/minute/hour)
Sliding window, fixed window, token bucket and leaky bucket algorithms
429 Code Return and Custom Error Message
Auto Timer Unlock
Metrics: number of exceedances, tokens on the edge of the limit, reset frequency
Business benefits
Protection against overloads and DoS attacks
Lower infrastructure costs
Quality control of customer integrations
Identification of abnormal activity and possible vulnerabilities
Ability to allocate VIP users with separate limits
Where especially important
API for financial transactions
Gaming platforms with frequent user activity
E-commerce services with high filtering and search rates
Public APIs and open platform solutions
Rate limiting is the control, safety and quality of the API. We implement point constraints that protect the infrastructure and ensure predictable operation under any load.