Rate Limit Control List
With this policy, the following settings can be made for each API and endpoint:
- Permitted Message Count (Permitted Message Count): Maximum number of requests allowed within the specified time interval.
- Time Interval Period Length (Time Interval Period Length): The length of the time interval.
- Time Interval (Time Interval): The unit of the time interval (second, minute, hour, day, month).
Rate limit control works as follows:
When a request arrives, its identity is determined according to the selected identity source: either the value of a variable you choose (e.g. IP address, user, or API key), or the user information resolved from authentication.
It is checked whether the determined identity belongs to the target audience. The identity is included if it is in the target credentials list or matches any of the target audience conditions (OR logic).
If the identity is in the target audience, the limit defined for the relevant API and endpoint is checked.
If the identity is not in the target audience, the out-of-target action is applied: the request is either blocked, or the general quota defined for out-of-target requests (a single shared quota for all out-of-target requests, or a separate quota per identity) takes effect.
If the relevant limit has been exceeded, the request is rejected; if not, processing continues.
While responding to the request, if configured, rate limit statistics are added to response headers.
This configuration provides a powerful mechanism to protect your APIs against overuse and set different usage limits for different users.
An image containing Rate Limit control list page settings is shown below:
The fields used for rate limit configuration are shown in the table below.
| Field | Description |
|---|---|
| Name | A name can be written to facilitate the use and management of the configuration. You will need this name during configuration management and selection. |
| Description | A description can be written to facilitate the use and management of the configuration. |
| Identity Source (Identity Source) | Determines which identity the rate limit is applied to. When Variable selection is chosen, the identity is taken from the value of a variable you choose (e.g. IP address, user, or API key). When User resolved from authentication is chosen, the identity is taken from the user information resolved by authentication; for this option the relevant API must have an authentication policy running in the last position. |
| Execution Order (Execution Order) | Determines when the rate limit policy will be applied. Rate limit controls always run after policies on the "ALL" line, but when FIRST is selected, they are applied before other policies on the endpoint, and when LAST is selected, they are applied after other policies on the endpoint. When the identity source is User resolved from authentication, this value is automatically set to LAST and cannot be changed, because authentication must run first for the identity to be resolved. |
| Interval Window Type (Interval Window Type) | Determines the type of time interval to be used in rate limit calculation. It can take FIXED or SLIDING values. When FIXED is selected, a fixed number of requests are accepted within a certain period (e.g., every hour). When SLIDING is selected, the number of requests within the last certain period (e.g., last 1 hour) is taken into account. |
| Cache Connection Timeout (second) (Cache Connection Timeout (second)) | Determines the maximum time to wait when connecting to the cache service in seconds. |
| Action for Cache Connection Error (Action for Cache Connection Error) | Determines the action to be taken when an error occurs during connection to the cache service. When FAIL is selected, the request is rejected in case of connection error, and when CONTINUE is selected, the request continues to be processed. |
| Show Rate Limit Statistics in Response Header (Show Rate Limit Statistics in Response Header) | Determines whether rate limit information will be shown in response headers. When set to TRUE, information such as remaining request count, limit value, and time until limit renewal is added to response headers (RateLimit-Remaining, RateLimit-Limit, RateLimit-Reset, X-RateLimit-Identity, X-RateLimit-Type headers). |
| Apply by Variable (Apply by Variable) | Determines the variable to be used to identify the user or client to which rate limit will be applied. This can be, for example, IP address, user ID, or API key. It is shown only when the identity source is Variable selection. If the selected variable relies on an identity obtained through authentication, a warning is shown indicating that the relevant authentication policy must run before this control. |
| Target Audience (Target Audience) | The list of conditions that define the identities to which the rate limit is applied. Each condition consists of an operator (equals, contains, starts with, ends with, is in the list, etc.) and a value. The conditions are evaluated with OR logic; an identity is included in the target audience if it matches any of the conditions. |
| Target Credentials (Target Credentials) | List of specific identity values to which rate limit will be applied. Rate limit is applied for identity values found in this list. |
| Out-of-target Action (Out-of-target Action) | Determines what happens to requests whose identity is not in the target audience. When Block the flow is selected, these requests are blocked. When Apply general quota is selected, a separate general quota is applied to out-of-target requests. |
| Quota Mode and General Quota Limits (Quota Mode) | Used only when the out-of-target action is Apply general quota. When Single shared quota for all out-of-target is selected, all out-of-target requests share a single common limit; when Separate quota per out-of-target identity is selected, each out-of-target identity has its own limit. The permitted message count, time amount, and time unit for the general quota are defined in this section. |
| APIs and Endpoints (APIs and Endpoints) | List of APIs and endpoints to which the rate limit policy will be applied. |