How to determine API rate limits

When you provide an API to your customers, you’ll hopefully experience scalability issues at some point. That’s a good thing, it means your traffic is growing! You’ll have to deal with it of course and one of the most important parts is also dealing with abusive users.

Some API clients could be overloading your API by accident, for example with a small programming mistake that triggers a request every second instead of every minute. Others could be doing so on purpose. Both can be handled by implementing rate limits.

Rate limits consist of an amount of request you want to allow and a period of time in which you want to allow them. For example, allow 10 requests every minute. Or allow 3600 requests every hour. That last example can cope with higher peeks while then not allowing much requests for the rest of the hour.

Most rate limiting system such as rack-attack also allow you to set different rate limits for different request paths and request methods. So a POST to your API might be more limited than a GET.

As you can imagine it is quite difficult to determine these limits. You’ll have to gain insight in the current usage of your API, most preferably by normal behaving users. Grepping through logs is quite cumbersome, so you’d better use an API analytics products such as Callcounter. It can help you find trends and peeks in usage, with filters on request path and request method (POST/PATCH/…).

Using Callcounter you should be able to get quite a good idea about current usage thresholds. Newly introduced rate limits should be above those so they won’t effect your well behaving customers. When an abusive user shows up they will be limited and you will be able to see it in Callcounter.

Let us know if you need help, we’re here to help you gain more confidence in the API you host.