Skip to content

rate_limiting

The rate_limiting section enables a simple in-memory token-bucket limiter for inbound requests.

Fields

Field Type Default Notes
enabled bool false master switch
requests_per_minute integer 60 steady-state budget
burst_size integer 10 short burst allowance

Example

rate_limiting:
  enabled: true
  requests_per_minute: 120
  burst_size: 20

How keys are derived

The limiter prefers request identity in this order:

  1. authenticated subject from inbound auth context (when security.provider: api_key is enabled and validated)
  2. X-API-Key
  3. Authorization
  4. client IP address

That keeps rate limiting useful both with and without gateway-level inbound auth.

Practical guidance

  • Treat this as gateway-local protection, not distributed global rate limiting.
  • If you run multiple gateway replicas, each instance keeps its own in-memory limiter state.
  • Use conservative values first, then tune from live traffic.