Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

API Throttling Best Practices

I have a SOAP api that I would like to throttle access to on a User basis after "x" many calls have been received in "y" amount of time.

After searching around, the #1 consideration (obviously) is to consider your parameters for when to throttle users. However, I don't see much in the way of best practices/examples for implementing such a solution. I did see the Leaky Bucket Method which makes sense. I have to believe there are more ideas out there though.

Any other takers on how you go about implementing your throttling solution? Questions include:

  • Do any frameworks provide capabilities (e.g. Spring, etc.) for throttling in web apis?
  • Seems to me you would need to store access information per user. How do you minimize the database overhead for doing this EVERY call?
  • Do you even NEED to access a datastore to implement this?
like image 476
alph486 Avatar asked Jul 19 '13 17:07

alph486


People also ask

What is API throttling used for?

What is API Throttling? API throttling allows you to control the way an API is used. Throttling allows you to set permissions as to whether certain API calls are valid or not. Throttles indicate a temporary state, and are used to control the data that clients can access through an API.

What is API throttling vs rate limiting?

Rate Limiting and Throttling policies are designed to limit API access, but have different intentions: Rate limiting protects an API by applying a hard limit on its access. Throttling shapes API access by smoothing spikes in traffic.

How do I set my API to throttle?

You can set additional throttling targets at the method level in Usage Plans as shown in Create a usage plan. In the API Gateway console, these are set by specifying Resource= <resource> , Method= <method> in the Configure Method Throttling setting.


1 Answers

For what its worth, I've sort of answered this question after working on some other production projects.

  1. Home brew: Using Spring AOP to pointcut around the method calls prior to executing API method code is one home-brew way if you have your own algorithm to implement. This ends up being pretty elegant and flexible as you can capture a lot of metadata prior to deciding what to do with the request.
  2. API Management Service: If you're talking about a production system and you have the budget, probably the best way to go is to delegate this to an API Management layer like Apigee or Mashery.

Advantage is that it separates the concerns so its easier to change and allows you to focus just on your API. This is especially helpful if business stakeholders are involved and you need a good UI and dictionary of terms.

Disadvantage, of course is the cost and the vendor lock in.

Hope this helps someone!

like image 109
alph486 Avatar answered Nov 15 '22 13:11

alph486