You can configure API-specific rate limit policies for managed APIs and custom APIs. The rate limit policy controls the number of times API consumers can invoke the API during a designated time period.
The API-specific rate limit policy overrides both the organizational and the group policies. For example, if the organizational rate limit is 10 invocations per second, and the API-specific rate limit is 20 invocations per second, API Manager rejects attempts to access the API after the 20 invocations per second limit is reached.
If an API-specific rate limit policy and a group rate limit policy aren't enabled for an API, API Manager applies the organizational policy to the API. The maximal rate limit that you can define is 3,000 requests per minute.
Rate limit tiers
When you configure a rate limit policy for an API, you define the policy by rate limit tiers.
A tier is a logical entity that determines the number of times that users can invoke the API during a designated time period. Different rate limit tiers prevent users from exploiting the system resources. You can create up to six tiers. Users can only use one tier for each invocation of an API.
Assign the following rate limit tiers to APIs that use API-specific rate limit policies:
•A general API-specific rate limit tier that applies to all the consumers of the API. It affects all the users in your organization, except the users you assign a user-specific rate limit to. You can allocate the rate limit tier to all the users in your organization, or allocate it per user.
When you allocate the general tier to all users, the number of calls per time frame defined in the tier is divided between all users. When you allocate the tier per user, each user can make the defined number of calls within the defined time frame.
•User-specific rate limit tiers. Each tier applies to the user that you assign the tier to.
You can also change the default organizational rate limit tier that you assign to all the managed APIs in the organization. For more information about organizational policies, see Organizational access policies.
Processing requests
The following diagram shows the logical order for processing a request:
Access lock
API Manager locks access to users that exceed the number of allowed calls within the time frame that define the rate limit tier, based on the following logic:
•If a user exceeds the defined rate limit for the organizational rate limit policy or the API-specific rate limit tier, all the users from the same organization are locked from additional invocations of the same API using the same HTTP method.
•If a user exceeds the defined rate limit for a user-specific rate limit tier, the user is locked from additional invocations of the API using the same HTTP method.
API Manager logs an access exception in the event log. For more information about the event log, see Event log.
Creating tiers
Create tiers to assign to users of managed APIs and custom APIs.
1On the API Registry page, select an API.
The API details window appears.
2Select the Policies tab.
3Click Tier Setup.
Enter the following properties to define the rate limit tier and click Add:
- Name of tier. Assign tiers meaningful names, such as Gold, Silver, or Bronze. For example, configure Gold to be more permitting than Silver.
- Number of calls.
- Number of seconds (Time Frame).
- Description (optional).
You can create up to six tiers.
4Click Close.
Configuring an API-specific rate limit policy
Configure a rate limit policy for a managed API or custom API by assigning a general API-specific tier that applies to all users that access the API. You can also assign tiers to specific users. User-specific tiers determine the access policies of the user that you assign them to and override the general API-specific tier.
1On the API Registry page, select an API.
The API details window appears.
2Select the Policies tab.
If no tiers are defined, click Tier Setup and create tiers.
3Select Enable API-specific rate limit policy.
4To assign a general API-specific rate limit policy, select a rate limit tier for the API from the Tier list. Select how to assign the tier:
- To assign a rate limit tier that applies to all users, select Shared by all users and click Save. All users share the rate limit that you select.
- To assign a rate limit tier that applies to each user individually, select Allocated per user and click Save. Each user is allocated the rate limit that you select.
5To assign a user-specific rate limit policy to a specific API user, expand the User-specific Tiers area.
6Enter the user name in the User Name field, select a tier from the Tier list and click Add.
You can assign only one tier to each user.
7Assign tiers to as many users as required.
8Click Save.
To disable the rate limit policy for the API, clear the option Enable API specific rate limit policy and click Save.
