Rate Limiting
The API Gateway implements per-tenant rate limiting through the Kong advanced-rate-limiter plugin. Rate limits are configured per tenant with tiered policies that define limits for second, minute, and hour windows. Rate limit counters are stored in Redis for distributed state across gateway instances.
Rate Limit Configuration
TenantRateLimitConfig Properties
| Property | Type | Default | Description |
|---|---|---|---|
tier | String | required | Tenant tier name (e.g., free, professional, enterprise) |
secondLimit | int | 10 | Maximum requests per second |
secondBurst | int | 15 | Burst limit per second (allows short spikes) |
minuteLimit | int | 100 | Maximum requests per minute |
minuteBurst | int | 150 | Burst limit per minute |
hourLimit | int | 1000 | Maximum requests per hour |
hourBurst | int | 1200 | Burst limit per hour |
windows | List | [second, minute, hour] | Time windows to enforce |
Configure Tenant Rate Limit
Endpoint: POST /api/v1/gateway/tenants/:tenantId/rate-limit
curl -X POST http://localhost:8080/api/v1/gateway/tenants/550e8400-e29b-41d4-a716-446655440000/rate-limit \
-H "Content-Type: application/json" \
-H "Authorization: Bearer ${TOKEN}" \
-d '{
"tier": "professional",
"secondLimit": 50,
"secondBurst": 75,
"minuteLimit": 500,
"minuteBurst": 750,
"hourLimit": 10000,
"hourBurst": 12000,
"windows": ["second", "minute", "hour"]
}'Default Tier Limits
| Tier | Per Second | Per Minute | Per Hour |
|---|---|---|---|
| Free | 10 (burst: 15) | 100 (burst: 150) | 1,000 (burst: 1,200) |
| Professional | 50 (burst: 75) | 500 (burst: 750) | 10,000 (burst: 12,000) |
| Enterprise | 200 (burst: 300) | 2,000 (burst: 3,000) | 50,000 (burst: 60,000) |
How It Works
When configureTenantRateLimit is called, the service:
- Creates a route tag of
tenant:<tenantId>to scope the rate limit - Configures the
advanced-rate-limiterKong plugin with:- Scope set to
tenant - Custom tier configuration with per-window limits and burst allowances
- Redis backend for distributed counter storage at
redis-master.matih-system:6379
- Scope set to
- Enables the plugin on the gateway
Plugin Configuration Structure
{
"name": "advanced-rate-limiter",
"enabled": true,
"config": {
"scope": "tenant",
"windows": ["second", "minute", "hour"],
"custom_tiers": {
"professional": {
"second": { "limit": 50, "burst": 75 },
"minute": { "limit": 500, "burst": 750 },
"hour": { "limit": 10000, "burst": 12000 }
}
},
"redis_host": "redis-master.matih-system",
"redis_port": 6379
}
}Rate Limit Response Headers
When rate limiting is active, Kong adds the following response headers:
| Header | Description |
|---|---|
X-RateLimit-Limit-Second | Per-second limit for the current window |
X-RateLimit-Remaining-Second | Remaining requests in the current second |
X-RateLimit-Limit-Minute | Per-minute limit for the current window |
X-RateLimit-Remaining-Minute | Remaining requests in the current minute |
RateLimit-Reset | Seconds until the current window resets |
When the limit is exceeded, the gateway returns 429 Too Many Requests with a Retry-After header.
Redis Backend
Rate limit counters are stored in Redis for distributed state. The Redis instance at redis-master.matih-system:6379 is shared across all gateway pods so that rate limits are enforced consistently regardless of which gateway instance receives the request.
Rate limit configuration is applied via Kong plugin. Changes take effect within seconds but are not persisted in a database -- they exist in Kong's configuration store. If Kong is restarted, rate limit configurations must be reapplied.