This documentation is for WSO2 API Manager 1.10.0 View documentation for the latest release.
Enforce Throttling and Resource Access Policies - API Manager 1.10.0 - WSO2 Documentation
Skip to end of metadata
Go to start of metadata

Throttling allows you to limit the number of hits to an API during a given period of time, typically to protect your APIs from security attacks and your backend services from overuse, regulate traffic according to infrastructure limitations and to regulate usage for monetization. For information on different levels of throttling in WSO2 Cloud, see Throttling tiers.

This tutorial uses the PhoneVerification API, which has one resource, GET and POST methods to access it and a throttling policy enforced. 

Before you begin, follow the Create and Publish an API to create and publish the PhoneVerification API and then the Subscribe to an API to subscribe to the API using the Bronze throttling tier.

After you created, published and subscribed to the API, let's see how the API Gateway enforces throttling and resource access policies to the API. 

  1. Log in to the API Store and select the PhoneVerification API.

  2. Subscribe to the API using the Bronze tier if you haven't done so already.

  3. Click My Subscriptions and generate an access token. If you already have an access token for the application, you have to regenerate it after 1 hour. 

    Let's invoke this API. 

  4. Click on the API, then go to its API Console tab and expand the GET method.

  5. Give values to the parameters and click Try it out to invoke the API.

  6. Note the response that appears in the API Console. As we used a valid phone number in this example, the response returns as valid.

  7. Within a minute after the first API invocation, make another attempt to invoke the API. 
  8. Note that you get a throttling error saying that you exceeded your quota. This is because you subscribed to the API on the Bronze throttling tier and the Bronze tier only allows you to make one call to the API per minute.  

    Let's try to invoke the API using an unavailable resource name.
  9. Go to the API's Overview page in the API Store and get the API's URL.

  10. Install cURL or any other REST client.

  11. Go to the command-line invoke the API using the following cURL command. 

    curl -k -H "Authorization :Bearer <access token in step 3>" '<API's URL in step 9>/CheckPhoneNum?PhoneNumber=18006785432&LicenseKey=0'

    Note that the PhoneVerification API's resource name is CheckPhoneNumber, but we use an undefined resource name as CheckPhoneNum. Here's an example:

    curl -k -H "Authorization :Bearer 63cc9779d6557f4346a9a28b5cfd8b53" 'https://localhost:8243/phoneverify/1.0.0/CheckPhoneNum?PhoneNumber=18006785432&LicenseKey=0'
  12. Note that the call gets blocked by the API Gateway with a 'no matching resource' message. It doesn't reach your backend services as you are trying to access a REST resource that is not defined for the API.

You have seen how the API Gateway enforces throttling and resource access policies for APIs.

  • No labels