this is what i have in my shared flow:

<Allow countRef="verifyapikey.Verify-API-Key-1.app.appLimit" count="2000"/> <Interval ref="verifyapikey.Verify-API-Key-1.app.appInterval">1</Interval> <TimeUnit ref="verifyapikey.Verify-API-Key-1.app.appTimeUnit">hour</TimeUnit>

in app as custom attributes am setting appLimit as 50, appInterval as 1 and appTimeUnit as minute.

In my 19th request, quota count:

Are you certain that the calls that are being made are all known by you?

You said "MY 19th request". Is it possible there is another client sending requests in?

Is it possible you have a chained proxy and the proxy is calling itself?

Is it possible the upstream is issuing a 302 redirect and your client is following that redirect, which means the calls would be counted double?

Is it possible that you are proxying a web page and the webpage is referencing a number of other resources (.js .css etc) and all of those are going through the Apigee proxy and all of them are being counted against the quota?

The quota policy is one of the most heavily used policies in Apigee. I cannot say with certainty that there is no problem in the Quota, policy, but ... given the extensive use of Quota by other customers, and so few problems with it, I would say the threshold to conclude that there is a problem in the operation of the policy is very high. Extremely high. It seems much more likely that one of the assumptions you have about what is happening, is not true.

Therefore I suggest that you question and examine and test your assumptions.

It is only used by one client and am also filtering by apikey to see i am receiving the requests from that particular user. there is no chained proxy in it and there is no redirect. It was working fine till 1st march and from 2nd march it started giving the issue. I have a similar shared flow being used in another proxy and that is working fine without any issue.

Is that shared flow used by any other API Proxy?

I think that you could probably avoid the problem by using an "Identifier" element in the Quota policy.

Specify the user or the client id or whatever it is that you'd like to use as the limiting identifier for the quota. (100 requests per user, 100 requests per clientid, etc).

That's not the same issue. It's the opposite.

And the reason for that is : the Quota is not synchronous. It has a time synch interval of 10 seconds. So you may see more requests allowed during the 10-second window, than you have configured. Usually a 10-s window is fine, but it may allow 2x or more the number of provisioned calls when you have very small allow counts .