Demystifying API Rate Limiting
APIs are the “digital glue” that integrates and connects infrastructure, services, devices, and users. With the proliferation of APIs in almost every organization, it‘s essential to have a mechanism in place to manage and govern them. That’s why we introduced Akamai API Gateway, which makes it easier for you to add governance to your APIs.
A critical aspect of API governance is limiting the number of API requests that consumers can make in a certain time frame. There are two primary methods that are used to throttle API requests: rate limiting and quota management. Even though these methods serve very different needs, they are quite similar, and it can be confusing which one to use in a given situation. In this blog post, we highlight the differences between rate limiting and quota management and discuss how you can leverage Akamai solutions to throttle API requests using one or both methods.
First, let’s define these methods. Rate limiting prevents your infrastructure from being overwhelmed by API requests from legitimate users, ensuring availability and reliability for all API consumers. It does this by counting requests in a given time period and applying specified limitations to those requests. User quota also counts requests, but serves a very different purpose. Quota management helps enforce service-level agreements (SLA) for API consumers by allowing you to limit the number of API requests consumers can make in a longer time interval.
Now let’s look at how these two capabilities manifest in real-life examples. API publishers often use one or both methods to throttle API requests from API consumers. The image below shows a company employing only rate limiting with a limit of 180 API requests per every 15 minutes for a given API consumer:
The next image shows a company using both rate limiting and quota management to throttle API requests. The limits defined here are based on four tiers (Low, Medium, Sandbox, and High), with each tier granting a certain number of quota hits per day and requests per second:
Now, let’s take a deeper dive into rate limiting and quota management to further illuminate the details of each method.
Legitimate API consumers often send too many API requests in a very short period of time (think minutes or seconds) which can overload your infrastructure and bring down the API for all consumers. You need a way to prevent these legitimate (i.e., not malicious) consumers from misbehaving.
The solution is rate limiting. This is typically done by first ensuring that an API consumer is legitimate, which can be identified by the token or key they present on every request. Once identified, you only allow a consumer to make a certain number of requests per second (e.g., 10 calls/second) and block the consumer if they exceed this limit. Rejecting requests will lead to availability for a wide range of consumers by ensuring that a single API consumer cannot dominate.
Today, API rate limiting at Akamai is restricted to the IP address level, and is available in our Kona Site Defender (KSD) product only. KSD performs rate limiting by evaluating the number of requests an IP address is making during a rolling five-second window. This capability is meant to protect the API from volumetric distributed denial-of-service (DDoS) attacks, and may be too granular for use in API rate limiting use cases (where each request must be evaluated for a token/key to uniquely identify it).
In many ways, we believe rate limiting has become an anti-pattern. API developers often depend on rate limiting to protect infrastructure without considering that they can achieve the same result by caching API responses instead of limiting the number of API requests a client can make. You want your API to serve as many consumers as it can, not turn them away. Caching API responses on Akamai helps you serve more consumers, save compute power at origin, and reduce network traffic.
If you cannot cache API responses, then Akamai has another option: you can easily leverage API Prioritization Cloudlet to limit access to your infrastructure. This Cloudlet allows you to prioritize traffic by routing specific API consumers to your API while serving other consumers an alternate JSON response.
Quota management is not rate limiting. The primary objective of implementing quota management is to enforce a business SLA. In this scenario, quota management introduces limits for accessing an API that are typically for longer durations of time such as per hour or per day.
You can leverage Akamai API Gateway to limit the number of API requests from consumers where the shortest possible time interval is one hour. Let’s say you have 100 partners that access your APIs. It’s very likely that some of these partners will make requests outside the boundaries you’ve set per day, per partner. With quota management, you can easily limit the number of API requests that a partner is allowed to make, preventing any outside-the-boundary behavior.
Another good use case is data-as-a-service, where API consumers are charged based on the number of requests they make or the quantity of data returned. For example, API providers often set up tiers (e.g., bronze, silver, and gold levels) for API access, and must ensure that consumers in each tier can only access their allotted number of API requests. A good example of that is Twitter’s quota policy, which has three tiers (which they call Premium Sandbox, Premium, and Enterprise):
Akamai API Gateway empowers you to limit the number of API requests by API key, thereby allowing you to enforce business SLAs and monetize APIs.
The table below summarizes which Akamai solutions can be used to address particular counting API requests:
The new Akamai API Gateway makes it easy for you to incorporate rate limiting and quota management into your API management and governance strategy. Check out our detailed documentation and getting started guides that will make it easy for you to get up and running with API Gateway. We encourage you to take this new product for a test-drive with a free 90 day trial of API Gateway on the Akamai Marketplace.