Rate limiting (API Budget)
In order to prevent sending too many requests to the API in a short period of time, you can configure an API Budget. This budget determines the maximum number of calls that can be made within a specified time interval (or intervals). This mechanism is particularly useful for respecting third-party API rate limits and avoiding potential throttling or denial of service.
When using an HTTPAPIBudget, rate limit updates can be automatically extracted from HTTP response headers such as remaining calls or time-to-reset values.
Schema
HTTPAPIBudget:
type: object
title: HTTP API Budget
description: >
An HTTP-specific API budget that extends APIBudget by updating rate limiting information based
on HTTP response headers. It extracts available calls and the next reset timestamp from the HTTP responses.
required:
- type
- policies
properties:
type:
type: string
enum: [HTTPAPIBudget]
policies:
type: array
description: List of call rate policies that define how many calls are allowed.
items:
anyOf:
- "$ref": "#/definitions/FixedWindowCallRatePolicy"
- "$ref": "#/definitions/MovingWindowCallRatePolicy"
- "$ref": "#/definitions/UnlimitedCallRatePolicy"
ratelimit_reset_header:
type: string
default: "ratelimit-reset"
description: The HTTP response header name that indicates when the rate limit resets.
ratelimit_remaining_header:
type: string
default: "ratelimit-remaining"
description: The HTTP response header name that indicates the number of remaining allowed calls.
status_codes_for_ratelimit_hit:
type: array
default: [429]
items:
type: integer
description: List of HTTP status codes that indicate a rate limit has been hit.
additionalProperties: true
An HTTPAPIBudget may contain one or more rate policies. These policies define how rate limits should be enforced.
Example usage
api_budget:
type: "HTTPAPIBudget"
ratelimit_reset_header: "X-RateLimit-Reset"
ratelimit_remaining_header: "X-RateLimit-Remaining"
status_codes_for_ratelimit_hit: [ 429 ]
policies:
- type: "UnlimitedCallRatePolicy"
matchers: []
- type: "FixedWindowCallRatePolicy"
period: "PT1H"
call_limit: 1000
matchers:
- method: "GET"
url_base: "https://api.example.com"
url_path_pattern: "^/users"
- type: "MovingWindowCallRatePolicy"
rates:
- limit: 100
interval: "PT1M"
matchers:
- method: "POST"
url_base: "https://api.example.com"
url_path_pattern: "^/users"
Above, we define:
- UnlimitedCallRatePolicy: A policy with no limit on requests.
- FixedWindowCallRatePolicy: Allows a set number of calls within a fixed time window (in the example, 1000 calls per 1 hour).
- MovingWindowCallRatePolicy: Uses a moving time window to track how many calls were made in the last interval. In the example, up to 100 calls per 1 minute for
POST /users.
Rate Policies
Unlimited call rate policy
Use this policy if you want to allow unlimited calls for a subset of requests.
For instance, the policy below will not limit requests that match its matchers:
UnlimitedCallRatePolicy:
type: object
title: Unlimited Call Rate Policy
description: A policy that allows unlimited calls for specific requests.
required:
- type
- matchers
properties:
type:
type: string
enum: [UnlimitedCallRatePolicy]
matchers:
type: array
items:
"$ref": "#/definitions/HttpRequestRegexMatcher"
Example
api_budget:
type: "HTTPAPIBudget"
policies:
- type: "UnlimitedCallRatePolicy"
# For any GET request on https://api.example.com/sandbox
matchers:
- method: "GET"
url_base: "https://api.example.com"
url_path_pattern: "^/sandbox"
Here, any request matching the above matcher is not rate-limited.
Fixed Window Call Rate Policy
This policy allows n calls per specified interval (for example, 1000 calls per hour). After the time window ends (the “fixed window”), it resets, and you can make new calls.
FixedWindowCallRatePolicy:
type: object
title: Fixed Window Call Rate Policy
description: A policy that allows a fixed number of calls within a specific time window.
required:
- type
- period
- call_limit
- matchers
properties:
type:
type: string
enum: [FixedWindowCallRatePolicy]
period:
type: string
format: duration
call_limit:
type: integer
matchers:
type: array
items:
"$ref": "#/definitions/HttpRequestRegexMatcher"
additionalProperties: true
- period: In ISO 8601 duration format (e.g.
PT1Hfor 1 hour,PT15Mfor 15 minutes). - call_limit: Maximum allowed calls within that period.
- matchers: A list of request matchers (by HTTP method, URL path, etc.) that this policy applies to.
Example
api_budget:
type: "HTTPAPIBudget"
policies:
- type: "FixedWindowCallRatePolicy"
period: "PT1H"
call_limit: 1000
matchers:
- method: "GET"
url_base: "https://api.example.com"
url_path_pattern: "^/users"
Moving Window Call Rate Policy
This policy allows a certain number of calls in a “sliding” or “moving” window, using timestamps for each call. For example, 100 requests allowed within the last 60 seconds.
MovingWindowCallRatePolicy:
type: object
title: Moving Window Call Rate Policy
description: A policy that allows a fixed number of calls within a moving time window.
required:
- type
- rates
- matchers
properties:
type:
type: string
enum: [MovingWindowCallRatePolicy]
rates:
type: array
items:
"$ref": "#/definitions/Rate"
matchers:
type: array
items:
"$ref": "#/definitions/HttpRequestRegexMatcher"
additionalProperties: true
- rates: A list of
Rateobjects, each specifying alimitandinterval. - interval: An ISO 8601 duration (e.g.,
"PT1M"is 1 minute). - limit: Number of calls allowed within that interval.
Example
api_budget:
type: "HTTPAPIBudget"
policies:
- type: "MovingWindowCallRatePolicy"
rates:
- limit: 100
interval: "PT1M"
matchers:
- method: "GET"
url_base: "https://api.example.com"
url_path_pattern: "^/orders"
In this example, at most 100 requests to GET /orders can be made in any rolling 1-minute period.
Matching requests with matchers
Each policy has a matchers array of objects defining which requests it applies to. The schema for each matcher:
HttpRequestRegexMatcher:
type: object
properties:
method:
type: string
description: The HTTP method (e.g. GET, POST).
url_base:
type: string
description: The base URL to match (e.g. "https://api.example.com" without trailing slash).
url_path_pattern:
type: string
description: A regular expression to match the path portion.
params:
type: object
additionalProperties: true
headers:
type: object
additionalProperties: true
additionalProperties: true
- method: Matches if the request method equals the one in the matcher (case-insensitive).
- url_base: Matches the scheme + host portion (no trailing slash).
- url_path_pattern: Regex is tested against the request path.
- params: The query parameters must match.
- headers: The headers must match. A request is rate-limited by the first policy whose matchers pass. If no policy matches, then the request will be allowed if you have not defined a default/other policy that catches everything else.
Putting it all together
You may define multiple policies for different endpoints. For example:
api_budget:
type: "HTTPAPIBudget"
# Use standard rate limit headers from your API
ratelimit_reset_header: "X-RateLimit-Reset"
ratelimit_remaining_header: "X-RateLimit-Remaining"
status_codes_for_ratelimit_hit: [429, 420]
policies:
# Policy 1: Unlimited
- type: "UnlimitedCallRatePolicy"
matchers:
- url_base: "https://api.example.com"
method: "GET"
url_path_pattern: "^/sandbox"
# Policy 2: 1000 calls per hour
- type: "FixedWindowCallRatePolicy"
period: "PT1H"
call_limit: 1000
matchers:
- method: "GET"
url_base: "https://api.example.com"
url_path_pattern: "^/users"
# Policy 3: 500 calls per hour
- type: "FixedWindowCallRatePolicy"
period: "PT1H"
call_limit: 500
matchers:
- method: "POST"
url_base: "https://api.example.com"
url_path_pattern: "^/orders"
# Policy 4: 20 calls every 5 minutes (moving window).
- type: "MovingWindowCallRatePolicy"
rates:
- limit: 20
interval: "PT5M"
matchers:
- url_base: "https://api.example.com"
url_path_pattern: "^/internal"
- The request attempts to match the first policy (unlimited on
GET /sandbox). If it matches, it’s unlimited. - Otherwise, it checks the second policy (1000/hour for
GET /users), etc. - If still no match, it is not rate-limited by these defined policies (unless you add a “catch-all” policy).