KOR Connect Rate Limiter
Rate limits protect your API integration from being overloaded, incurring unnecessary charges, and having your API blocked. KOR Connect allows you to set up a per user rate limiter without having to use user authentication keys or client IDs. This means you can allow users to interact with your integrated 3rd party API without worrying about your users or bots running up costs. You set the API rate limit at an expected usage amount to protect the API from malicious or accidental over use. This allows you to automatically reject requests that exceed a certain set limit helping to prevent unwanted usage of your connected API.
User Based Rate Limit
KOR Connect is currently offering a source based API rate limiter (per user based on IP), this approach minimises any disruption that can occur to other users of a particular web application or frontend. The user based rate limiter allows for more granular control for the API and can reduce the risk of DoS (denial of service) attacks without interfering with other users of the web application. Furthermore a rate limiter can help with API overuse that is caused intentionally by end users or accidentally when there are issues with client code.
How to Use
Set the rate limiter to the number of calls per second that you want calling your target API. This is based on each user’s IP address. The rate limiter will bypass your IP address when your Connection Mode is set to Testing. If you change IP addresses at any time while in Testing Mode you will have to re register your new IP address with KOR Connect.
Register a new IP address with KOR Connect: Change the Connection Mode to Production, then back to Testing, this will register your new IP address with KOR Connect.
KOR Connect allows you to control the number of endpoint calls made to your connected API per second, on a per user (segmented by IP address) basis. KOR Connect uses a Fixed Window algorithm, which allows a certain number of endpoint calls per second. If the user exceeds the allowed calls per second a 429 error, ‘too many requests’ will be returned.
KOR Connect blocks sources and requests. Requests are blocked if the allowed number of calls is exceeded within the given amount of time (per second). To secure the API connection further KOR Connect blocks the source of the malicious activity. Blocked sources will be subject to a cool-down window of 1 hour.
The API rate limits are calculated in requests per second (RPS).
For example, a developer might choose 100 requests per second which implies that if a single IP generates 101 requests within a second then the last request will be blocked along with the IP and all other incoming requests from that same IP for the following hour. This blocking will only restrict the one client that went over the allowed RPS.
This cool-down period is set by KOR Connect based on industry standards.