Developers are rate limiting their APIs to improve their application’s security and performance. Learn more about API throttling and rate limits in this blog.
APIs allow you to share your application data with other developers (both internal and external) as well as other apps. As businesses continue to accelerate their API strategies, you as the application manager/owner have to make sure that your application is always secure and high-performing. Well-designed APIs that allow you to throttle API requests are what you need for better security and throughput.
What is API Throttling?
API throttling allows you to control the way an API is used. Throttling allows you to set permissions as to whether certain API calls are valid or not. Throttles indicate a temporary state, and are used to control the data that clients can access through an API. When a throttle is triggered, you can disconnect a user or just reduce the response rate. You can define a throttle at the application, API or user level.
As a developer, you have control over what applications and which users can use your APIs. Just like permissions, a combination of multiple throttles may be used on a single request. You can even have multiple levels of throttling based on the user. For example, you can restrict sensitive information from external developers, while giving access to the same for internal developers.
Why Do You Need Throttling?
• APIs are a gateway to your backend resources and throttling offers you an extra layer of protection for those resources.
• You can deliver consistent applications by making sure that a single client is not suffocating your applications. Enhanced performance will drastically improve the end-user experience.
• You can control user authentication and access by rate limiting APIs at various levels—resource, API or application.
• You can design a robust API that can be leveraged by multiple groups based on their access level. Simplified API monitoring and maintenance can help reduce your costs.
What are the Types of Throttling?
Enterprises custom throttle their APIs based on the needs of their organization such as monetization, authentication, security, governance, performance, availability, etc. Here are some general throttling strategies adopted by the industry today to help you decide what your API needs:
• Rate-Limit Throttling: This is a simple throttle that enables the requests to pass through until a limit is reached for a time interval. A throttle may be incremented by a count of requests, size of a payload or it can be based on content; for example, a throttle can be based on order totals. This is also known as the API burst limit or the API peak limit.
• IP-level Throttling: You can make your API accessible only to a certain list of whitelisted IP addresses. You can also limit the number of requests sent by a certain client IP.
• Scope Limit Throttling: Based on the classification of a user, you can restrict access to specific parts of the API—certain methods, functions or procedures. Implementing scope limits can help you leverage the same API across different departments in the organization.
• Concurrent Connections Limit: Sometimes your application cannot respond to more than a certain number of connections. In such cases, you need to limit the number of connections from a user/account to make sure that other users don’t face a DoS (Denial of Service) error. This kind of throttling also helps secure your application against malicious cyber-attacks.
• Resource-level Throttling (also referred to as Hard Throttling): If a certain query returns a large result set, you can throttle the request so that your SQL engine limits the number of rows returned by using conditions attributes like TOP, SKIP, SQL_ATTR_MAX_ROWS, etc.
• Tiers of Throttling: Throttling can be applied at multiple levels in your organization: API-level throttling; Application-level throttling; User-level throttling; Account-level throttling.
How to Throttle an API/Query
Throttling your API is an extremely sensitive process and it can have a huge impact on customer satisfaction, application performance and security. For that reason, I recommend you use our commercial enterprise solutions that have inherent support for throttling:
• Hybrid Data Pipeline: offers throttled ODBC, JDBC and OData APIs for popular databases such as IBM DB2, Oracle, SQL Server, MySQL, PostgreSQL, SAP Sybase, Hadoop Hive, Salesforce, Google Analytics and many more. To find out more details, you can check out our blog post on Hybrid Data Pipeline’s throttling capabilities. Furthermore, OData has built-in functions such as $count, $top and $skip to filter the query results passed back to a client. In turn, pagination can help in avoiding throttling restrictions and possible performance degradation. You can learn more about OData here.
• OpenAccess SDK: In other cases where you have proprietary enterprise APIs, you can leverage our OpenAccess SDK to deploy a standard SQL interface—ODBC, JDBC, ADO.NET or OLE-DB. The SDK supports several throttling capabilities to meet your API throttling needs. The best part of OpenAccess is that it can easily integrate with your existing security and authentication systems, so it can serve as a true extra layer of protection for your enterprise APIs and the underlying backend resources.
As both these products are extremely unique and powerful, I highly recommend that you discuss your throttling needs with our product experts. Happy throttling!
Nishanth Kadiyala is a Technical Marketing Manager at Progress.
1 en 2 oktober 2018 Een pragmatische en geïntegreerde aanpak van business analyse door gerenommeerd spreker James Robertson. Deze workshop behandelt een framework voor business analyse die u gebruikt wanneer u werkt in een agile omgeving en stories...
1 november 2018Praktisch seminar waarin Sander Hoogendoorn u laat zien hoe u microservices kunt inzetten in uw softwarearchitectuur.Het nieuwste architectuurprincipe microservices lijkt veelbelovend: verkorte time-to-market, schaalbaarheid, auto...
5 t/m 7 november 2018Driedaagse workshop over requirements management door James Archer. Opstellen, testen en ondubbelzinnig vastleggen van requirements. Unieke driedaagse workshop over requirements management op basis van de Volere methodiek door Ja...
15 november 2018 API Management gaat enerzijds over het promoten van API’s en anderzijds over het actief ondersteunen van ontwikkelaars bij het gebruik ervan. Tegelijkertijd gaat API Management over het gecontroleerd en centraal beveiligd ontsl...
28 november 2018Workshop met BPM-specialist Christian Gijsels over business analyse, modelleren en simuleren met de nieuwste release van Sparx Systems' Enterprise Architect, versie 14.Intensieve cursus waarin alle basisfunctionaliteiten van Enterpris...
6 december 2018 Iedere organisatie heeft te maken met het integreren van systemen en applicaties. Maar welke technologie zet u in bij welke vorm van integratie? Guy Crets bespreekt de verschillende oplossingen voor integratie. Integratie van IT...
5 en 6 juni 2019 Praktische tweedaagse workshop met internationaal gerenommeerde spreker Alec Sharp over herkennen, beschrijven en ontwerpen van business processen. De workshop wordt ondersteund met praktijkvoorbeelden en duidelijke, herbruikbar...