Enforce Throttling and Resource Access Policies¶
Throttling allows you to limit the number of hits to an API during a given period of time, typically to: - Protect your APIs from security attacks. - Protect your backend services from overuse. - Regulate traffic according to infrastructure limitations. - Regulate usage for monetization.
In this tutorial, you engage throttling and resource access policies at various levels to your API and observe how the API Gateway enforces them in the API.
Note
Before you begin ,
- Follow Create and Publish an API to create and publish the
PhoneVerification
API. - Follow Subscribe to and Invoke an API to subscribe to the API using the
Bronze
throttling tier.
Let's get started.
-
Sign in to the API Store and select the
PhoneVerification
API. -
Subscribe to the API using the
Default Application
andBronze
tier if you have not done so already.
-
In the API Store, click the APPLICATIONS menu, click
DefaultApplication
to open it, and then click the Production Keys tab. If you already have an access token for the application, you may have to scroll down and click Re-generate . Access tokens expire 1 hour after creation unless you extend the period.Let's invoke this API.
-
Click on the API, then go to its API Console tab and expand the GET method.
-
Give values to the parameters (PhoneNumber 18006785432 and LicenseKey 0) and click Try it out to invoke the API.
-
Note the response that appears in the API Console. As we used a valid phone number in this example, the response returns as valid.
-
Note that you subscribed to the API on the Bronze throttling tier. The Bronze tier allows you to make a 1000 calls to the API per minute. If you exceed your quota, you get a throttling error as shown below.
Let's try to invoke the API using an unavailable resource name. -
Click the APIs menu in the API Store, click the API you want to invoke and then copy the production URL in the API's Overview tab.
-
Append the payload to the API's URL you copied earlier. For example, https://gateway.api.cloud.wso2.com:443/t/companyn3/phoneverify/1.0.0 / CheckPhoneNumber?PhoneNumber=18006785432&LicenseKey=0 .
Let's invoke the API. -
Install cURL or any other REST client.
-
Go to the command-line and invoke the API using the following cURL command.
Note that thePhoneVerification
API's resource name isCheckPhoneNumber
, but we use an undefined resource name asCheckPhoneNum
.curl -k -H "Authorization: Bearer <access token in step 3>" '<API's URL in step 9>/CheckPhoneNum?PhoneNumber=18006785432&LicenseKey=0'
Here's an example:
curl -k -H "Authorization: Bearer 0bc0500523dddc5c973971f16b19103e" 'https://gateway.api.cloud.wso2.com:443/t/companyn3/phoneverify/1.0.0/CheckPhoneNum?PhoneNumber=18006785432&LicenseKey=0'
-
Note that t he call gets blocked by the API Gateway with a 'no matching resource' message. It doesn't reach your backend services as you are trying to access a REST resource that is not defined for the API.
You have seen how the API Gateway enforces throttling and resource access policies for APIs.
Top