Authentication & Rate Limits
Client-visible behavior
Per API key.
Per endpoint group (expensive routes vs cheap routes).
Optional method differentiation (read vs write).
Typical enforcement dimensions:
Rate limits are enforced with Redis-backed counters. They protect against abuse and smooth bursty traffic.
Rate limiting (quota enforcement)
Rejected requests fail fast. They do not consume downstream capacity.
Key exists and is well-formed.
Key is active (not revoked or suspended).
Key is allowed to access the requested API surface.
The gateway validates the API key before any domain work:
Authentication (API key validation)
Authentication and rate limits happen early. This protects downstream services and upstream dependencies.
Over-limit requests return a structured error.
Limits are evaluated on a rolling window basis.
For high-frequency workloads, prefer WebSockets or webhooks over polling. Polling turns quotas into latency and reliability problems.
Last updated