API Rate Limiting

Protect your API routes against abuse and ensure fair usage with rate limiting.

  • Alexandro Martínez
    Author
    by Alexandro Martínez
    6 months ago
  • Rate limiting is an essential feature for managing the number of API requests a client can make in a given period. It helps prevent abuse and ensures fair usage of resources. This documentation outlines the rate limiting rules for API requests in our system, including minute and second limits, and provides guidelines for developers on how to handle these limits.

    Rate Limiting Rules

    Rate limiting is enforced based on the following criteria:

    • Per Minute: Limits the number of requests per minute.

    • Per Second: Limits the number of requests per second.

    • API Key Based: Each API key has its own rate limits, which may vary based on the subscription plan.

    Default Limits

    The default rate limits for our API are:

    • Per Minute: 60 requests

    • Per Second: 5 requests

    You can change the defaults at rateLimitService.ts

    ...
    const DEFAULT_RATE_LIMIT_PER_MINUTE = 60;
    const DEFAULT_RATE_LIMIT_PER_SECOND = 5;
    
    

    function getCacheKey(apiKey: string, period: string, timestamp: number): string { return rateLimit:${apiKey}:${period}:${timestamp}; } ...

    Rate Limits as a Plan Feature

    If there's a plan feature called rate-limit-per-minute or rate-limit-per-second it will override the default rate limits.

    rate-limit-features.png

    Testing Locally

    You can use any Rest API Client program to test your protected API routes, in the following example, I call the /api/usage route multiple times until I reach the limit (5 requests/sec).

    rate-limit-features-local-test.png

    Cache

    Two cache keys are created on every protected API call:

    • rateLimit:apiKeyId:second:timestamp: lifespan of 60 seconds

    • rateLimit:apiKeyId:minute:timestamp: lifespan of 1 second

    rate-limit-features-cache.png

    Handling Rate Limit Errors

    When a rate limit is exceeded, the API returns a 429 Too Many Requests status code along with an error message indicating the nature of the rate limit violation and when to try again.

    And this code is visible on the tenant/account's API logs:

    rate-limits-api-logs.png

    Conclusion

    Rate limiting is crucial for maintaining the performance and reliability of your API. By following the above guidelines and using the provided implementation, you can effectively manage the rate limits for your API and ensure fair usage among your clients.

    Let me know what you think!

    We respect your privacy.

    TLDR: We use cookies for language selection, theme, and analytics. Learn more.