Rate limit based on API Key and Query Param

Hi,

I was going through the documentation on rate limiting policy based on client apps, and found it a bit confusing.

Is there a way that I can specify a rate limit based on API key? For example, for API Key = 1, set a limit of 100 requests, for API key = 2, set a limit of 200, and so on?

Another question is, is it possible to control rate limits based on a query param? ie, we add a query param named "client". If client = A, set the rate limit as 100, if client = B, set the rate limit as 200 and so on.

Again, the current documentation did not really help.

Can anybody please help?

Solved Solved
0 4 959
1 ACCEPTED SOLUTION

You will use API Products to set the different quota limits.

Configure Product1 with quota limit 100

Configure Product2 with quota limit 200

Provision app1 onto Product1

Provision app2 onto Product2

Then use two policies, in this order:

  • a VerifyApiKey policy
  • a Quota policy that references the API-product specific quota limit. This limit is implicitly retrieved into the MessageContext by the VerifyApiKey.

The Quota uses an Identifier element. If you want, you can refer to a queryparam in that identifier. Usually the ID is the developer app id, or the client id. You can pass it in a header, or query param, or where-ever you like.

<Quota name="CheckQuota">
  <Identifier ref="request.queryparam.vinodh"/> 
  <Interval>1</Interval>
  <TimeUnit>hour</TimeUnit>
  <Allow count="200" countRef="verifyapikey.verify-api-key.apiproduct.developer.quota.limit"/>
</Quota>

See the documentation on the Quota policy for more information. There are screencasts explaining this.

View solution in original post

4 REPLIES 4

You will use API Products to set the different quota limits.

Configure Product1 with quota limit 100

Configure Product2 with quota limit 200

Provision app1 onto Product1

Provision app2 onto Product2

Then use two policies, in this order:

  • a VerifyApiKey policy
  • a Quota policy that references the API-product specific quota limit. This limit is implicitly retrieved into the MessageContext by the VerifyApiKey.

The Quota uses an Identifier element. If you want, you can refer to a queryparam in that identifier. Usually the ID is the developer app id, or the client id. You can pass it in a header, or query param, or where-ever you like.

<Quota name="CheckQuota">
  <Identifier ref="request.queryparam.vinodh"/> 
  <Interval>1</Interval>
  <TimeUnit>hour</TimeUnit>
  <Allow count="200" countRef="verifyapikey.verify-api-key.apiproduct.developer.quota.limit"/>
</Quota>

See the documentation on the Quota policy for more information. There are screencasts explaining this.

vbalan
Participant II

Hi,

In order to make the quota policy work,

I had to add the proxy to the product,

also added a few additional fields to the Quota policy -

<Quota name="Quota-operation">
   <Identifier ref="request.queryparam.apikey" />
   <Interval ref="verifyapikey.Verify-API-Key-1.apiproduct.developer.quota.interval">1</Interval>
   <TimeUnit ref="verifyapikey.Verify-API-Key-1.apiproduct.developer.quota.timeunit">minute</TimeUnit>
   <Allow count="5" countRef="verifyapikey.Verify-API-Key-1.apiproduct.developer.quota.limit" />
   <Synchronous>true</Synchronous>
   <Distributed>true</Distributed>
</Quota>