Rate Limit

This interceptor defines the maximum amount of requests allowed in a given time frame (based on the server’s time) and can be entered in the API or Plan flow.

For an API, the interceptor can be inserted globally, at the resource or operation level. In all these cases, the rate will be incremented regardless of who made the request, respecting the configured interval. If added to the Plan flow, the specific rate of the requester (app or access token) will be incremented. In both cases, it is possible to add a new header with the number of remaining requests.

It’s easy to confuse the functioning of Rate Limit with another traffic-controlling interceptor, the Spike Arrest. Therefore, we created a FAQ with the definitions of Spike Arrest and Rate Limit, their differences, and configuration examples.


rate limit

The interceptor can only be inserted into the request flow. To configure it, fill out the following properties:

  • Configuration type: sets the type of configuration to be used by the interceptor, which can be:

    • Total calls: sets the interceptor by the total number of calls.

    • IP: configures the interceptor by IP calls, allowing you to block repeated calls from the same IP.

    • Header: configures a specific header for traffic restriction. When selecting this option, you must enter:

      • Key: the desired header key.

      • Missing header behavior: configures the behavior for requests without the header. Choose between:

        1. Allow: ignores interceptor processing, allowing the request flow.

        2. Total Calls: treats the request based on the total number of calls.

        3. Abort: blocks the request.

The header configuration was created to meet regulatory requirements for Open Finance APIs, but you can also use it in your context.
  • Calls: the total number of accepted calls.

  • Interval: sets the time interval in which calls will be accepted, it can be per second, minute, hour, day, week or month.

The interceptor considers "full" intervals. For example, if you set a minute interval and start making requests at 11:55:55, when the minute changes to 11:56:00, you will have a new set of allowed requests for that resource. It works the same way for other time intervals.
  • Soft Limit: allows you to configure an additional percentage of calls. To do this, check the option and add the value in the % field on the right. In the example image, we configured a limit of 300 calls per minute with a 30% excess allowed, accepting up to 90 more calls.

If Soft Limit is checked, the % field becomes mandatory. Otherwise, the Rate Limit will function normally, based on the set quota informed on the Calls field. * Return quota header: if checked, a parameter with the number of remaining requests will be sent with the response header.
  • When making a request, the x-ratelimit-remaining response header shows the number of remaining calls.

  • The x-ratelimit-reset header displays the time remaining until the next interval.

Thanks for your feedback!

Share your suggestions with us!
Click here and then [+ Submit idea]