Introduction

For application programming interfaces (APIs), rate restriction is a protective technique that limits the number of requests to the API within a specific period of time. This protects an API/service from malicious attacks, overuse, brief spikes in request volume, DDoS attacks, brute-force password attempts, and other forms of abusive behavior directed at the application layer. Without rate-limiting, users could make as many requests as they wanted. This would result in request spikes which in turn would starve other users or potentially destroy the server. When rate limiting is turned on, users can only make a certain number of requests per second.

The example diagram above shows that if a user makes more than 30 requests per minute after the rate restriction is implemented, then only 30 requests are processed and the rest are dropped.