You can associate the user-level rate limit policy to control the number of times a specific API user can access a managed API and its operations within a designated timeframe. That is, you can configure the number of times a specific user can invoke the managed API.
When you try to invoke the managed API after reaching the configured rate limit, you receive an HTTP 429 status code.
You can associate only one user name with one user-level rate limit policy, regardless of whether the rate limit policy is enabled or disabled for the user.
You can associate a user-level rate limit policy only with an active state managed API. If you are assigned a user-level rate limit policy that is disabled in the policy configuration page, the policy status Disabled appears next to the Policy Name field. You can't activate a managed API that has a disabled user-level rate limit policy associated with it. However, you can activate a managed user if the policy is enabled for the managed API but disabled for a specific user.
You can use the user-level rate limit policy with basic, OAuth 2.0, and JSON web token (JWT) authentication methods.
To invoke a managed API using OAuth 2.0 authentication, you must create an OAuth 2.0 token using the credentials provided for the specific user name in the user-level rate limit policy. The managed API invocation succeeds only when you provide the correct OAuth 2.0 Client ID and OAuth 2.0 Client Secret for the specific user.
To invoke a managed API using JSON web token authentication, you must generate a JWT using the credentials provided for the specific user name in the user-level rate limit policy. The managed API invocation succeeds only when you provide the correct JWT for the specific user.
The following image shows how to configure a user-level rate limit policy for a managed API:
Creating a user-level rate limit policy
If you are assigned an Administrator or Deployer role, you can create a user-level rate limit policy for a managed API.
1On the API Console page, click the Managed APIs tab.
2Click the Actions menu on the row of the managed API to edit and select Edit Managed API.
3In the API Policies area, click Operational.
4Optionally, select the rate limit.
5In the User-Level Rate Limit area, click the + button to add new user names from the available list of users.
You can associate only one user name with one user-level rate limit policy irrespective of the rate limit policy being enabled or disabled for the user.
If you do not want to associate the user-level rate limit policy to the entire managed API, you can toggle the slider and disable the rate limit policy.
6Select the rate limit policy that you want to configure.
7The policy type and configuration fields auto-populates based on the user name and policy type selection.
8Optionally, toggle the Applies to slider if you do not want to associate the rate limit policy with the particular user.
9Optionally, in the Notes field, enter a note.
10Click Save.
If any validation errors occur, the Validation panel appears. Fix all errors listed on the Validation panel and click Save again.
