This documentation is for WSO2 API Manager 1.8.0 View documentation for the latest release.
Enforce Throttling and Resource Access Policies - API Manager 1.8.0 - WSO2 Documentation
Skip to end of metadata
Go to start of metadata

Throttling allows you to limit the number of hits to an API during a given period of time, typically to protect your APIs from security attacks and your backend services from overuse, regulate traffic according to infrastructure limitations and to regulate usage for monetization. For information on different levels of throttling in WSO2 Cloud, see Throttling tiers.

This tutorial uses the PhoneVerification API, which has one resource, GET and POST methods to access it and a throttling policy enforced. 

Before you begin, follow the Create and Publish an API and the Subscribe to an API tutorials to create, publish and subscribe to the PhoneVerification API using the Bronze throttling tier.

After you created, published and subscribed to the API, let's see how the API Gateway enforces throttling and resource access policies to the API. 

  1. Log in to the API Cloud and the API Publisher will open automatically.

  2. Click the Go to API Store link in the top right-hand corner of the API Publisher to open your default API Store.  
    API Store 

    Tip: You can access any tenant's store using the URL http://<hostname>/Store?tenant=<tenant_name>.

  3. Click the API Console tab. 
  4. Expand the GET method, give the PhoneNumber and LicenseKey parameters and invoke the API.
  5. The response appears in the console. As we used a valid phone number in this example, the response returns as valid.

  6. Within a minute after the first API invocation, make another attempt to invoke the API.
  7. Note that you get a throttling error saying that you exceeded your quota. This is because you subscribed to the API on the Bronze throttling tier and the Bronze tier only allows you to make one call to the API per minute.

    Let's try to invoke an invalid resource. 
  8. Install cURL if it is not there in your environment. Note that cURL comes by default in some operating systems. You can also use any other REST client.

  9. Open the command line and execute the following cURL command with an invalid resource name (e.g., CheckPhoneNum.) Get the <API URL> from the API's Overview tab in the API Store.

    curl -H "Authorization:Bearer <access token>" -v '<API URL>/CheckPhoneNum?PhoneNumber=123456&LicenseKey=0'

  10. Note that you get a message as 'no matching resource.' This is because you are trying to access a REST resource that is not defined for the API.

In this tutorial, you saw how the API Gateway enforces throttling and resource access policies to APIs.

  • No labels