Overview
A Rate Limiting policy controls how many API requests a client profile can make within a defined time window. It protects your backend services from traffic overload, prevents abuse, and ensures fair usage across all API consumers.
Once the configured request limit is reached for a profile within the time window, any further requests are rejected and the configured error message is returned. The counter resets after the window expires.
Field Reference | Description |
| A unique identifier for the policy, used across logs, dashboards, and API group configurations. Required |
| Custom labels to organize and filter the policy by environment, team, or functionality. Optional |
| Specifies the length of the time window during which requests are tracked for each client profile. Required |
| Defines the time unit for the duration (e.g., Seconds, Minutes, Hours, Days). Required |
| The maximum number of requests allowed per client profile within the defined time window before access is restricted. Required |
| The message is returned to the client when their request is denied due to exceeding the rate limit. Default: “API rate limit exceeded” Optional |
How It Works
Request received: The gateway identifies the client using an API key, IP address, or user ID.Counter check: The system retrieves the request count for the client within the current time window.Limit evaluation :If the count is below the configured limit, the request is forwarded and the counter is incremented , else the limit is reached or exceeded, the request is rejectedError response: Rejected requests receive an error indicating that the rate limit has been exceeded.Window reset: After the time window expires, the counter resets and the client can send requests again.
Attaching a Policy to an API Group
Once a Rate Limiting policy is created, it can be attached to one or more API Groups. Multiple policies can be applied to an API Group and their execution order can be configured by dragging them into the desired sequence.