As a user I should be able to add a rate limit to an API so it is enforced globally

[lonelycode]

As a user I should be able to add a rate limit to an API so it is enforced globally, this should rate-limit access to the API across all tokens, and should supersede a token rate limit.

Functional Requirements:

• I should be able to set a rate limit on an API
• I should be able to add a global rate limit to an open API - for example in B2B servie-to-service calls this may be preferrable to a token based approach
• I should be able to add this rate limit in the API Designer

[buger]

and should supersede a token rate limit.

What is the reason behind overriding token rate limit? Initially I was thinking that global rate limit is sort of "default" one, and you can override it if needed.

Or by "supersede" you mean that if token_rate_limit > global_rate_limit, I should use global, eg it is maximum value, otherwise token based?

[lonelycode]

They are different counters, so for example if all users have a rate limit of 100/s and the global limit is 1000/s, then 10 users can go at full speed, however if another user started sending the same 100/s requests, then the aggregate throughput would be more than 1000/s, and all 10 users would be throttled.

This is so that if I am an API owner, and I know my infrastructure will explode at 1100/s, but be ok at 1000/s that I can guarantee that no amount of users concurrently accessing my service can exceed that limit to damage the infra.

In a real case this would be much higher. I see this rate limit affecting everyone equally.

In terms of the code, it basically means that each API has it's own DRL bucket that gets incremented before the user r/l bucket.

[buger]

Clear 👍

[nickReyn]

API-level (global) rate limits

[lonelycode]

I've moved this into 2.4 because it only requires a small UI change in the dashboard to make live.

[lonelycode]

(cc @lghiur / @ConsM)

[lonelycode]

Relevant PR because it didn't link properly: #1138