Rate Limiting with identifier-based rules

Not applicable

Hi,

I'm new to Apigee and wanted to ask a couple of questions. I want to implement rate limiting for an API, I also want to have different limits for different clients, their identifier being passed in a header as part of a JWT.

Two questions:

1. Which rate limiting implementation is best suitable for my API? (it is external, however, only registered clients can use it)

2. Is it possible to implement rate limits based on identifiers in JWT? If so, how?

Thank you!

0 5 837
5 REPLIES 5

There are 3 policies that you could potentially use:

  1. Quota
  2. Spike Arrest
  3. Concurrent Rate Limiting

All 3 of them address different aspects of rate limiting.

See https://docs.apigee.com/api-platform/develop/rate-limiting for an introduction to these policies, and

https://docs.apigee.com/api-platform/develop/comparing-quota-spike-arrest-and-concurrent-rate-limit-... for a comparison between them.

Both the Quota and Spike Arrest policies support the <Identifier> element, which allow to keep separate tabs based on a flow variable.

The Concurrent Rate Limit doesn't, as it is targeted towards controlling the traffic flowing towards a backend.

Thank you for this reply!

I was wondering, is it possible to configure those policies to parse the JWT token in one of the request headers, and use the parsed value as an identifier?

You should use a Verify JWT policy before your rate limiting policy of choice.

Upon success, the Verify JWT policy sets context variables according to this pattern:

jwt.{policy_name}.{variable_name}

For example, if the policy name is jwt-parse-token , then the policy will store the subject specified in the JWT to this context variable: jwt.jwt-parse-token.subject

You can then use the appropriate variable when setting the <Identifier> element in your rate limiting policy.

See https://docs.apigee.com/api-platform/reference/policies/verify-jwt-policy#flow-variables for a detail of all variables set by Verify JWT

Is it possible to configure custom quotas based on the value from JWT? For example, we have a "clientId" field in the JWT. In quota description we specify the Identifier as <Identifier ref="jwt.jwt-parse-token.clientId/>. However, that would mean that there would be the same quota for every different value of clientId. What if it is necessary to have different quotas for different clientIds (for example, if clientId is "test", have a quota of 100 requests per second, and for clientId "test2" have a quota of 200 requests per second)?

You could use a KVM to store the quota value for each clientId.