Ron Huber

Ron Huber is the CEO and co-founder of Achieve Internet. He's an experienced senior executive with over 15 years managing and leading software teams in the online media, Internet, and software development space.

About the Author

Malicious API attacks rose 681% in 2021 even with security measures in place and are predicted to become the primary attack vector in 2022.

You'll need to tighten your API management to boost your security posture. API throttling and rate-limiting are two important concepts for managing APIs.

But what exactly is the difference between them? And why does it matter?

What is Rate Limiting?

Rate limiting is a technique used to control the number of requests a user can make to an API over a given period of time. It's usually used to prevent abuse or misuse of the API.

There are two ways to limit the amount of traffic your website gets: use existing rate limiting features in web servers or build your own for more security and control over traffic.

Example of Rate Limiting

Mulesoft's rate limiting policy starts with the basics needed for any rate limit. You'll need to determine the number of requests, specify the time period allowed per request, and what unit of time it will be measured in.

What is API Throttling?

API throttling is a technique used to control the amount of traffic that an API can handle and is typically used in conjunction with rate limiting. It's used to prevent overloading the server or network the API is hosted on.

For this technique, servers enforce throttling policies on the client. By limiting the number of requests that a user can make, you ensure that the API is responsive and available for all users.

Example of API Throttling

Amazon Web Services (AWS) uses throttling techniques across many of its APIs. In fact, it uses two different methods to throttle requests to HTTP APIs. They allow account-level throttling per region (the default setting) or route-level throttling.

This is what a custom route-level throttling would look like using AWS CLI:

Why Does This Difference Matter?

So, what's the difference between these two techniques? And why does it matter? We've put together this quick chart to note the major differences between the two.

API Throttling

API Rate Limiting

This technique is used to manage resources at…

Server or network level

User or client level

The main goal is to ensure…

The API can handle the traffic it's receiving.

A user doesn't make too many requests to the API to abuse or misuse it.

How is it implemented?

By setting a limit on the number of requests that can be made to the API within a certain time period.

By setting a limit on the number and speed of requests that a user can make to the API within a specific time period.

What happens when the limit is reached?

No more requests will be processed until the time period expires or the client pays for more API calls.

No more requests will be processed until the time period expires.

API throttling and rate-limiting are both critical techniques for managing APIs. Which one you use depends on your particular needs and requirements.

Understanding the difference between them is essential to ensure that you're using the right technique for your API.

While many businesses use these features through their gateway, they often lack a cohesive dashboard that lets them manage them with ease. API portals fix this problem by providing functionality to product owners who aren't constantly on management platforms.

Why Do Businesses Implement Rate Limiting?

Businesses have a variety of reasons to impose rate limits on their APIs. The most common reasons include:

  • They don't want to overwhelm their systems. The goal of any system is to provide high-quality service for all clients, but this can't happen if a single client floods the server with requests. This would drive down traffic and affect other customers' experience as well.