You can associate the user-level rate limit policy to control the number of times a specific API user can access a managed API and its operations within a designated timeframe. That is, you can configure the number of times a specific user can invoke the managed API.
When you try to invoke the managed API after reaching the configured rate limit, you receive an HTTP 429 status code.
You can associate only one user name with one user-level rate limit policy, regardless of whether the rate limit policy is enabled or disabled for the user.
You can associate a user-level rate limit policy only with an active state managed API. If you are assigned a user-level rate limit policy that is disabled in the policy configuration page, the policy status
Disabled
appears next to the
Policy Name
field. You can't activate a managed API that has a disabled user-level rate limit policy associated with it. However, you can activate a managed user if the policy is enabled for the managed API but disabled for a specific user.
You can use the user-level rate limit policy with basic, OAuth 2.0, JSON web token (JWT), and session ID authentication methods.
To invoke a managed API using OAuth 2.0 authentication, you must create an OAuth 2.0 token using the credentials provided for the specific user name in the user-level rate limit policy. The managed API invocation succeeds only when you provide the correct OAuth 2.0 Client ID and OAuth 2.0 Client Secret for the specific user.
To invoke a managed API using JSON web token authentication, you must generate a JWT using the credentials provided for the specific user name in the user-level rate limit policy. The managed API invocation succeeds only when you provide the correct JWT for the specific user.
To invoke a managed API using session ID, pass the session ID header value as
IDS-SESSION-ID
and then run the API.
The following image shows how to configure a user-level rate limit policy for a managed API:
ASK INFAPreview
