Rate Limiting Overview

Rate limit in Next Identity is done through a token-bucket algorithm where a token counts for a request. Next Identity sets a limit on a steady-state rate and a burst of request submissions against all APIs. In the token bucket algorithm, the burst is the maximum bucket size.

When request submissions exceed the steady-state request rate, and the burst limit, the limit-exceeding requests fail, and Next Identity returns 429 Too many Requests error responses to the client. When the client catches such exception, it can resubmit the failed requests in a way that is rate limiting, while complying with the API Gateway throttling limits.

Limits can be set on individual API stages or methods to improve overall performance across all APIs. In addition, restrictions are set on client request submissions to within specified request rates and quotas. This restricts the overall request submissions so that they don't go significantly past the account-level throttling limits.

Server-side throttling limits are applied across all clients. These limit settings exist to prevent your API—and your account—from being overwhelmed by too many requests.

Per-client throttling limits are applied to clients that use API keys associated with your usage policy as client identifiers.

  • Global Rate Limiting: The global rate limit is set at the global level and accounts for the total requests that come through the platform for all tenants.
  • Organization Rate Limiting: Organizations have specific identifiers that in turn have individual rate limits. This represents the number of requests per minute that an organization can make.
  • Client Rate Limiting: Each client id has a set of configurations and rules. The number of requests per minute is configured within the rule storage which is cached. Each request is checked against the rule set. If any of the rules are violated, such as a rate limit exceeded error, the API returns such a response.
  • IP Rate Limiting: To prevent malicious behavior including DDoS attacks, Next Identity limits the number of requests that can originate from a single IP address.
  • User Rate Limiting: To prevent credential stuffing attacks, the user rate limit enforces the number of requests a single user can make - including login, registration, forgot password, etc.

Client rate limit vs burst limit example

To better illustrate the difference of client rate limit from burst limit, let's look at the following example.

Here are sample limits:
rate limit = 1,000 requests/minute
burst limit = 100 requests/minute

If a caller submits 1,000 requests in a 10-minute period evenly (for example, 100 requests every minute), Next Identity processes all requests.

If the caller sends 1,000 requests in the first minute, the API Gateway serves 100 of those requests and throttles the rest in the 10-minute period.

If a caller fills up the bucket quickly, they will have to let it leak (time) in order to use it up again.

To learn more about how to implement Next Identity's rate limiting features, please contact your Next Reason Integration Consultant.