Using the Rate Limit middleware with Tyk Classic APIs

Last updated: 2 minutes read.

The per-endpoint rate limit middleware allows you to enforce rate limits on specific endpoints. This middleware is configured in the Tyk Classic API Definition, either via the Tyk Dashboard API or in the API Designer.

If you’re using the newer Tyk OAS APIs, then check out the Tyk OAS page.

Configuring a rate limit in the Tyk Classic API Definition

To enable the middleware, add a new rate_limit object to the extended_paths section of your API definition.

The rate_limit object has the following configuration:

  • path: the endpoint path
  • method: the endpoint HTTP method
  • enabled: boolean to enable or disable the rate limit
  • rate: the maximum number of requests that will be permitted during the interval (window)
  • per: the length of the interval (window) in seconds

You can set different rate limits for various endpoints by specifying multiple rate_limit objects.

Simple endpoint rate limit

For example:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

{
    "use_extended_paths": true,
    "extended_paths": {
        "rate_limit": [
            {
                "path": "/anything",
                "method": "GET",
                "enabled": true,
                "rate": 60,
                "per": 1
            }
        ]
    }
}

In this example, the rate limit middleware has been configured for HTTP GET requests to the /anything endpoint, limiting requests to 60 per second.

Advanced endpoint rate limit

For more complex scenarios, you can configure rate limits for multiple paths. The order of evaluation matches the order defined in the rate_limit array. For example, if you wanted to limit the rate of POST requests to your API allowing a higher rate to one specific endpoint you could configure the API definition as follows:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21

{
    "use_extended_paths": true,
    "extended_paths": {
        "rate_limit": [
            {
                "path": "/user/login",
                "method": "POST",
                "enabled": true,
                "rate": 100,
                "per": 1
            },
            {
                "path": "/.*",
                "method": "POST",
                "enabled": true,
                "rate": 60,
                "per": 1
            }
        ]
    }
}

In this example, the first rule limits POST requests to /user/login to 100 requests per second (rps). Any other POST request matching the regex pattern /.* will be limited to 60 requests per second. The order of evaluation ensures that the specific /user/login endpoint is matched and evaluated before the regex pattern.

See also

Return to Top
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish.
   Read More