See it in action (demos)

ByIpAddress protection type

The ByIpAddress protection type, allows you to limit the number of requests that a specific function of your API will be accept from each IP address.

In the demo we have two virtual machines to be able to make requests to the API from different IP addresses.

Each IP address (each machine) can do 5 requests every 10 seconds. Once the defined limit has been reached, the function begins to return 429 HTTP statuses. After 10 seconds from the accepted requests, another 5 requests are allowed again from each IP address.

ByIdentity protection type

The ByIdentity protection type, allows you to limit the number of requests that a specific funcion of your API will accept from each user.

In the demo we will make 10 paralell requests with 4 different users (each request goes with a different ApiKey in its header to authenticate as different users in the API).

Each user can do 5 requests every 10 seconds. Once the defined limit has been reached, the function begins to return 429 HTTP statuses. After 10 seconds from the accepted requests, another 5 requests are allowed to each user.

ByRole protection type

The ByRole protection type, allows you to limit the number of requests that a specific function of your API will accept in total from a group of users that have a certain role.

In the demo we will make 10 paralell requests with 4 different users (each request goes with a different ApiKey in its header to authenticate as different users in the API).
The first 2 of this 4 users, have the role “User” (the user John with the ApiKey ‘jjjjj’, and the user Susan with the ApiKey ‘sssss’).
The last 2 of this 4 users, have the role “Admin” (with the ApiKeys ‘a1111’, and ‘a2222’).

In total, among all users belonging to the role “User”, can do 5 requests every 10 seconds. Once the defined limit has been reached, the function begins to return 429 HTTP statuses.
When John makes the first 5 requests, the total limit of 5 requests every 10 seconds is reached for the role, then, Susan cannot made more requests because is in the same role.
After 10 seconds from the accepted requests, another 5 requests are allowed to the users with the role “User”.
In this sample, the Role Admin is not limited, then each admin can make unlimited requests.

Default protection type

The Default protection type, allows you to limit the number of requests that a specific function of your API will accept in total, regardless of which IP, user or role the request comes from.

This type of protection is intended to be used in combination with other protections. For example, combining 5 requests per IP every 10 seconds (protection by ip), and a maximum of 200 requests every 30 seconds (protection by default). But in this example we will see this protection individually, limiting to a total of 5 requests every 10 seconds regardless of any other condition.