API governance with rate limits & quotas

It focuses on strategically using rate limits and quotas to control how frequently specific clients can call APIs.

✅ Prerequisites

• An existing API endpoint and client setup within Quickwork's API Management tool.

Rate limits & quotas

Rate limits and quotas are essential tools for managing how clients interact with your APIs. They help prevent overuse, ensure fair access and prevent abuse. Consider the Demo Team as a premium client; we need to manage their API usage without granting unlimited access. Implementing rate limits and quotas is crucial in controlling how often they can call the API.

• Rate limit: Defines how many API calls a client can make within a specified time frame (For example, per second, per minute, per hour).
• Quota: Specifies the maximum number of API calls a client can make within a longer period, such as a month or year.

Setting rate limits and quotas

1. Access client settings:

   1. Navigate to the API Management page via the Tools menu in Quickwork.
   2. Click on the Clients tab and select the client for which you want to set limits. Consider the Demo Team for illustration.
      
   

2. Edit access profile:

   1. To modify settings, click the horizontal ellipse next to the access profile, such as Demo Team Member 1.
   2. Choose Edit to proceed with configuring rate limits and quotas.
      

3. To configure rate limits, set the Time Interval for Rate limit to Per minute and the Number of requests as 5 requests per minute.
   

This setting will limit the client to making no more than 5 API calls per minute to prevent server overload and ensure resource availability.

4. Set quotas:
   1. You may define the Usage Quota to limit the total number of API calls the client can make in a month, for example, allowing only 50 API calls per month.
   2. This helps manage long-term API usage and ensures that clients use resources judiciously.
5. Optional IP whitelisting:
   1. You may specify IPs from which API calls are allowed, enhancing security by restricting access to trusted sources. Leave blank or specify specific IP addresses as needed.
6. Review all settings and click Submit to apply the new rate limits and quotas.

Testing rate limits and quotas with Postman

1. Use Postman to send API requests and observe how the API responds when rate limits are exceeded. For example, if you have set a limit of 5 requests per minute, try sending 6 requests in a minute.
2. Observe the responses from the API, such as the API rate limit exceeded after the 6th request within the minute. This confirms that the rate-limiting is functioning as expected.

3. Test monthly quota:
   1. Continue to make API calls over a longer period, for example, over a month, to test the monthly quota.
   2. Watch for messages like Exceeded the quota for the month after reaching the set quota limit.

✏️ Tips and recommendations

• Periodically check and adjust rate limits and quotas to align with changing business needs and API usage patterns.
• Ensure all API users understand the rate limits and quotas to avoid unexpected service interruptions.
• Monitor API usage to detect potential abuses or needs for adjustment in rate limits and quotas.

📚 Additional resources

API terminologies Building a callable journey for API management
Creating and testing API endpoints
Creating and managing client access
Testing and sharing the API
Sample use case on API management: HR operations