In this tutorial, you will package APIs into a product for deployment. Each product can have one or more plans. The default plan provides a basic rate limit policy. You will modify this policy to enforce a hard rate limit to ensure that consumers cannot send more traffic than the plan limit.
Authors
Prerequisites:
- API Connect Developer Toolkit 5.0.7.1
- Completion of any tutorial within the series
Instructions:
Definition: New terminology will be discussed in subsequent sections, so let's formerly define them now:
- Product: packaging of one or more APIs into a single group that is a deployable unit and enables enforcement of rate limit definitions.
- Select the Products tab and click Add + -> New Product.
- Enter the name
weatherand click Create product. - Click the recently created product and click APIs (in the left nav bar).
- Click the + button to add the following APIs
- Weather Provider API
- OAuth2 OIDC Provider (if available)
- utility (if available)
- Click Apply when complete.
- Below APIs, expand the Plans section.
- You can define the rate limits for your product here. Default rate plan of 100 calls / hour is pre-defined. Multiple rate plans can be defined to offer different quality of service. Burst limits allow you to exceed the rate limit to account for periods of unusually high traffic. Hard limit fails transactions above the rate limit threshold. Rate limits can be applied to individual API operations if needed. For more details on the various options, see here
- Change the default rate plan from 100 calls / hour to 10 calls / minute.
- Check the Enforce Hard Limit checkbox and click the save button.
Your now ready to test the rate limit policy.
- If your using an OAuth secured API, obtain an access token from the OAuth provider (using the resource owner grant type).
- Obtain an access token from the OAuth provider (using the resource owner grant type) with Postman.
- Open Postman and select File -> Import -> Import from Link and enter the value https://www.getpostman.com/collections/9ab248322bd2f0a75eea.
- Open the request called
OAuth Password. Select the Body link and notice that a default client id ofdefaultand client secret ofSECRETis pre-configured. Adjust the values if your endpoint is different thanhttps://127.0.0.1:4001. - Submit the request and validate that you get back an access token.
{ "token_type": "bearer", "access_token": "<sanitized>", "expires_in": 3600, "scope": "weather", "refresh_token": "<sanitized>" }- Copy the access token so it remains on your clipboard. You are now ready to call the Weather API!
- Open the Weather (Resource Call) request and select the Headers tab and notice the variable
{{access_token}}. The access token is already populated for you via a helper Postman script. If your still want to copy the access token, you can manually replace add it to the Authorization header field. Click Send to validate that the request is successful.{ "zip": "90210", "temperature": 66, "humidity": 78, "city": "Beverly Hills", "state": "California", "platform": "Powered by IBM API Connect" } - Click the Headers tab and scroll down X-RateLimit- headers
X-RateLimit-Limit →name=rate-limit,10 X-RateLimit-Remaining →name=rate-limit,9 X-RateLimit-Reset →name=rate-limit,22 - Send 10 more requests and then switch over to the body link. The following response will appear that indicates that the rate limit is exceeded.
{ "httpCode": "429", "httpMessage": "Too Many Requests", "moreInformation": "Rate Limit exceeded" }
In this tutorial, you learned how to enforce rate limits for your product (collection of APIs).