Page History
In WSO2 API Manager, an API, application or a resource can be available to a consumer at different levels of service. This is facilitated by throttling tiers. Throttling tiers are used to limit the number of hits to an API /application or a resource during a given period of time, typically in cases of infrastructure limitations, security concerns (preventing DOS attacks), monetization purposes etc.
...
Throttling is enabled in API Manager in 3 different levels as follows. The topics below describe this:
| Table of Contents | ||||
|---|---|---|---|---|
|
API-level throttling
API-level throttling tiers are defined by the API creator when creating Creating an API using the API Publisher. At subscription time, the consumers of the API can log in to the API Store and select which tier they are interested in using the API Store as follows:
According to the tiers s/he selects, the subscriber is granted a maximum number of requests to the API.
Resource-level throttling
Setting tier permissions
Users with Manage Tiers permission can set role-based permissions to API-level access throttling tiers. This is done using the Tier Permissions menu of API Publisher as shown below. For each tier, you can specify a comma-separated list of roles and either Allow or Deny access to the list.
A subscriber logged into the API Store can consume APIs using a specific tier, only if s/he is assigned to a role that is allowed access. In the API Store, the subscriber sees a list of tiers that is filtered based on the subscriber's role. Only the ALLOWED roles appear here. By default, all tiers are allowed to everyone.
Application-level throttling
Application-level throttling tiers are defined at the time an application is created using the API Store. For information, see Application-Level Throttling Applications and application-level throttling.
Resource-level throttling
Resource-level throttling is defined to HTTP verbs of an API's resources by the developer at the time an API is created using the Publisher. When a subscriber views an API using the API Store, s/he can see the resource-level throttling tiers using the Throttle Info tab as follows:
Subscribers are not allowed to change these throttling tiers. They are simply notified of the limitations.
How throttling tiers work
- When an API is invoked, it first checks whether the request is allowed by application-level throttling limit. If an application has exceeded its maximum number of allowed requests, the new request will be terminated.
- If application-level limit is not exceeded, it then checks whether the request is allowed by resource-level throttling limit. If it has exceeded, the request will be terminated.
- If resource-level limit is not exceeded, it finally checks whether the request is allowed by API-level throttling limit. If the limit is not exceeded, then the request will be granted.
With capability to define throttling at three levels, the final request limit granted to a given user on a given API is ultimately defined by the summed consolidated output of all of these different throttling tiers together. For example, lets say two users subscribe to an API using the Gold subscription, which allows 20 requests per minute. They both use the application App1 for this subscription, which again has a throttling tier set as to 20 requests per minute. All resource level throttling tiers are unlimited. In this scenario, although both users are eligible for 20 requests per minute access to the API, each ideally has a limit of only 10 requests per minute. This is due to the application-level limitation of 20 requests per minute.
...
Overview
Content Tools
Activity