Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Apidays New York 2024 - The subtle art of API r...

apidays
PRO
May 14, 2024
Technology
0
16

Apidays New York 2024 - The subtle art of API rate limiting by Josh Twist, Zuplo

The subtle art of API rate limiting
Josh Twist, Co-founder & CEO at Zuplo

Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024)

------

Check out our conferences at https://www.apidays.global/

Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8

Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io

Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/

apidays
PRO

May 14, 2024
Tweet

More Decks by apidays

See All by apidays
Apidays Helsinki 2024 - From Chaos to Calm- Navigating Emerging API Security Challenges by Eli Arkush, Akamai
apidays
PRO
0
26
Apidays Helsinki 2024 - APIs ahoy, the case of Customer Booking APIs in Finnlines and Grimaldi Lines by Vesa Vähämaa, Finnlines
apidays
PRO
0
24
Apidays Helsinki 2024 - ABLOY goes API economy – Transformation story by Hanna Sillanpaa, Abloy
apidays
PRO
0
17
Apidays Helsinki 2024 - API Compliance by Design by Marjukka Niinioja, Osaango
apidays
PRO
0
27
Apidays Helsinki 2024 - Bridging the Gap Between Backend and Frontend API Testing with K6 by Ayush Goyal, Grafana Labs
apidays
PRO
0
16
Apidays Helsinki 2024 - Data Ecosystems Driving the Green Transition by Olli Kilpeläinen, Betolar
apidays
PRO
0
13
Apidays Helsinki 2024 - Security Vulnerabilities in your APIs by Lukáš Ďurovský, Thermo Fisher Scientific
apidays
PRO
0
28
Apidays Helsinki 2024 - Data, API’s and Banks, with AI on top by Sergio Giraldo, ING
apidays
PRO
0
25
Apidays Helsinki 2024 - Sustainable IT and API Performance - How to Bring Them Together by Merja Kajava, Aavista Oy
apidays
PRO
0
13

Other Decks in Technology

See All in Technology
タイミーのレコメンドにおける ABテストの運用
ozeshun
1
160
LLVM/ASMを使った有限体の高速実装
herumi
0
120
Road to Single Activity
yurihondo
2
240
不動産売買取引におけるAIの可能性とプロダクトでのAI活用
zabio3
0
270
サーバレスでモバイルアプリ開発! NTTコム「ビジネスdアプリ」のアーキテクチャ / The architecture of business d app
nttcom
12
240
持続可能なソフトウェア開発を支える『GitHub CI/CD実践ガイド』
tmknom
8
1.4k
GC24 Recap: Interface Internals
task4233
0
150
PdMはどのように全てのスピードを上げられるか ~ 非連続進化のための具体的な取り組み ~
sansantech
PRO
4
1.3k
技術的負債解消の取り組みと専門チームのお話
bengo4com
0
340
『GRANBLUE FANTASY Relink』ソフトウェアラスタライザによる実践的なオクルージョンカリング
cygames
0
170
サーバー管理しないサーバーサービスManaged DevOps Pool
kkamegawa
0
130
App Router を実プロダクトで採用して見えてきた勘所をちょっとだけ紹介
marokanatani
1
930

Featured

See All Featured
WebSockets: Embracing the real-time Web
robhawkes
59
7.3k
Facilitating Awesome Meetings
lara
49
6k
Fantastic passwords and where to find them - at NoRuKo
philnash
48
2.8k
The World Runs on Bad Software
bkeepers
PRO
64
11k
Building Your Own Lightsaber
phodgson
101
6k
Design by the Numbers
sachag
277
19k
How To Stay Up To Date on Web Technology
chriscoyier
786
250k
10 Git Anti Patterns You Should be Aware of
lemiorhan
653
58k
Into the Great Unknown - MozCon
thekraken
29
1.4k
Testing 201, or: Great Expectations
jmmastey
36
7k
GraphQLとの向き合い方2022年版
quramy
43
13k
Music & Morning Musume
bryan
46
6k

Transcript

  1. The subtle art of API rate limiting Josh Twist CEO

    @zuplo
  2. None

  3. Me Founded several services in Microsoft Azure: API Management Logic

    Apps Mobile Services Power Automate Pro Head of Product at Stripe and Facebook Been a vendor and a customer of API gateways / management

  4. Agenda Why do we need this? What’s the canonical approach?

    Private or Public Latency tradeoffs and optimizing the customer experience Observability Demo Content

  5. Am I actually going to be attacked?

  6. Am I actually going to be attacked? Yes, but not

    by who you think.

  7. Why do we need rate limiting? Protect resource consumption Protect

    resource starvation Ensure good experience for all customers Discourage abusers Enforce business model

  8. A canonical response Status - 429 Status Text - Too

    Many Requests Header - Retry-After: 3600 Body - Use Problem Details format (IETF RFC 7807)

  9. A canonical response Status - 429 Status Text - Too

    Many Requests Header - Retry-After: 3600 Body - Use Problem Details format (IETF RFC 7807) Do you want to do this?

  10. Private or public limits? Disclosing limits allows malicious users to

    easily maximize their consumption of your resources without hitting the limit Not disclosing limits makes it hard for consumers to avoid hitting your rate limit Informal Partnership 
(e.g. Free Tier) Formal Partnership 
(e.g. Contracted Customer) Hide limits Disclose limits

  11. How to apply rate limiting IP based?

  12. Rate limiting in distributed systems is hard

  13. The latency / accuracy tradeoff Being accurate means completing the

    rate limit check before allowing the request to proceed == a slower API for everyone You incur the latency on every request, whether an problem is afoot or not Consider a more lenient approach where you run the check asynchronously and cache blocked consumers Here’s how

  14. Async rate limiting Have a local cache to store known

    limited consumers (store the retry time also) Check the rate limit in parallel with performing the primary request If rate limit check comes back blocked, update the cache and, if the primary request not compete, override the response. Otherwise, the next request will be blocked anyway.

  15. Observability? RPS (requests per second) report See rate limited responses

    Break down by bucket (IP, user etc) What are the minimum requirements

  16. This content available online now Blog post: zuplo.link/rate-limiting-blog Video: zuplo.link/rate-limiting-video