---
title: "View source for Security/Rate Limiting - DreamFactory Wiki"
source: "http://wiki.dreamfactory.com/index.php?action=edit&title=Security%2FRate_Limiting"
canonical_url: "http://wiki.dreamfactory.com/index.php?action=edit&title=Security%2FRate_Limiting"
converted_at: "2026-04-17T01:34:48.061Z"
format: "markdown"
converted_by: "html-to-md-ai"
---
[]()
	
	
	
	# View source for Security/Rate Limiting

	
		
		← [Security/Rate Limiting](/Security/Rate_Limiting)
		
		
		
		[Jump to navigation](#mw-head)
		[Jump to search](#searchInput)
		You do not have permission to edit this page, for the following reason:

The action you have requested is limited to users in the group: [Users](/index.php?title=DreamFactory_Wiki:Users&action=edit&redlink=1).

---

You can view and copy the source of this page.

{{#seo:
|title=Rate Limiting - DreamFactory Documentation
|title_mode=replace
|description=Control API usage with per-instance, per-user, per-role, and per-endpoint rate limits to prevent abuse.
|keywords=DreamFactory, rate limiting, API throttling, usage control, abuse prevention
|canonical=https://wiki.dreamfactory.com/Security/Rate_Limiting
|og:title=Rate Limiting
|og:type=article
|og:site_name=DreamFactory Documentation
|og:description=Control API usage with per-instance, per-user, per-role, and per-endpoint rate limits to prevent abuse.
}}
&lt;span id="rate-limiting">&lt;/span>
== Rate Limiting ==

DreamFactory provides a comprehensive rate limiting system that allows administrators to control API usage at multiple levels. Rate limits can be applied per instance, per user, per role, per service, or per endpoint, giving you fine-grained control over how your APIs are consumed. This is essential for preventing abuse, ensuring fair resource allocation, and maintaining platform stability.

&lt;span id="why-rate-limiting-matters">&lt;/span>
== Why Rate Limiting Matters ==

Without rate limiting, a single client or user can monopolize server resources by making an excessive number of API requests. This can degrade performance for all users, increase infrastructure costs, and potentially lead to service outages. DreamFactory's rate limiting feature helps you:

* Protect backend services from being overwhelmed by too many requests
* Enforce usage tiers and quotas for different user groups
* Prevent API abuse and denial-of-service scenarios
* Monitor and plan capacity based on actual usage patterns

&lt;span id="limit-types-and-hierarchy">&lt;/span>
== Limit Types and Hierarchy ==

DreamFactory supports a hierarchy of limit types. When multiple limits are combined, broader limits can override more granular ones. For example, if an instance-wide limit is set to 500 requests per minute, a service-specific limit of 1,000 requests per minute would never be reached because the instance limit triggers first.

{| class="wikitable"
|-
! Limit Type
! Description
|-
| Instance
| Rate limits across the entire DreamFactory instance, cumulative for all users and services
|-
| User
| Limits applied to a specific user across all services
|-
| Each User
| Every user receives an independent counter with the same rate limit
|-
| Role
| Rate limits applied based on a user's assigned role
|-
| Service
| Limits targeting a specific API service
|-
| Service by User
| Limits for a specific user on a specific service
|-
| Service by Each User
| Independent per-user counters on a specific service
|-
| Endpoint
| Limits targeting a specific API endpoint
|-
| Endpoint by User
| Limits for a specific user on a specific endpoint
|-
| Endpoint by Each User
| Independent per-user counters on a specific endpoint
|}

&lt;span id="limit-periods">&lt;/span>
=== Limit Periods ===

Each limit is configured with a reset period that determines when the counter resets automatically. Available periods include:

* '''Minute''' — resets every 60 seconds
* '''Hour''' — resets every 60 minutes
* '''Day''' — resets every 24 hours
* '''7-day''' — resets weekly
* '''30-day''' — resets monthly

&lt;span id="configuring-rate-limits">&lt;/span>
== Configuring Rate Limits ==

&lt;span id="via-the-admin-console">&lt;/span>
=== Via the Admin Console ===

To create a rate limit in the DreamFactory Admin Console:

# Navigate to '''Config &amp;gt; Limits''' in the left sidebar
# Click '''Create''' to add a new limit
# Select the '''Limit Type''' from the dropdown (Instance, User, Service, etc.)
# Set the '''Rate''' (maximum number of requests allowed)
# Choose the '''Period''' (minute, hour, day, 7-day, or 30-day)
# Optionally restrict to a specific '''HTTP Verb''' (GET, POST, PUT, PATCH, DELETE)
# Provide a descriptive '''Name''' for the limit
# Click '''Save'''

&lt;span id="via-the-api">&lt;/span>
=== Via the API ===

Limits can also be managed programmatically through the DreamFactory REST API:

&lt;syntaxhighlight lang="bash"># Create an instance-wide limit of 1000 requests per hour
curl -X POST "https://your-instance.com/api/v2/system/limit" \
  -H "X-DreamFactory-API-Key: YOUR_API_KEY" \
  -H "X-DreamFactory-Session-Token: YOUR_SESSION_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "resource": [{
      "type": "instance",
      "name": "Global Hourly Limit",
      "rate": 1000,
      "period": "hour",
      "is_active": true
    }]
  }'&lt;/syntaxhighlight>
Key API endpoints for limit management:

* &lt;code>GET /api/v2/system/limit&lt;/code> — List all configured limits
* &lt;code>POST /api/v2/system/limit&lt;/code> — Create a new limit
* &lt;code>PUT /api/v2/system/limit/{id}&lt;/code> — Update an existing limit
* &lt;code>DELETE /api/v2/system/limit/{id}&lt;/code> — Remove a limit
* &lt;code>GET /api/v2/system/limit_cache&lt;/code> — View current counter values
* &lt;code>DELETE /api/v2/system/limit_cache/{id}&lt;/code> — Reset a specific limit counter

&lt;span id="what-happens-when-limits-are-exceeded">&lt;/span>
== What Happens When Limits Are Exceeded ==

When a client exceeds a configured rate limit, DreamFactory responds with an '''HTTP 429 Too Many Requests''' status code. The response includes information about the limit that was reached. Clients should implement backoff logic and retry after the limit period resets.

&lt;span id="monitoring-usage">&lt;/span>
== Monitoring Usage ==

The '''Limits''' section of the Admin Console displays current usage statistics for all active limits, including the current hit count and remaining requests in the current period. You can also programmatically query limit usage via the &lt;code>system/limit_cache&lt;/code> endpoint.

&lt;span id="endpoint-limits-and-wildcards">&lt;/span>
== Endpoint Limits and Wildcards ==

Endpoint limits allow granular control over specific API paths. For example, you can limit requests to &lt;code>_table/contacts&lt;/code> on a database service without affecting other tables. Adding a wildcard &lt;code>*&lt;/code> character creates a limit that matches the endpoint and all sub-paths (e.g., &lt;code>_table/contacts*&lt;/code> would also match &lt;code>_table/contacts/5&lt;/code>).

&lt;span id="limit-cache-and-storage">&lt;/span>
== Limit Cache and Storage ==

By default, DreamFactory uses a file-based cache for rate limit counters, separate from the main application cache. This ensures that clearing the DreamFactory cache does not reset rate limit counters. For high-traffic environments, Redis can be configured as the limit cache backend. See the &lt;code>.env-dist&lt;/code> file for limit cache configuration options.

== See also ==
* [[Security/Sql_Server_Configuration|Configuring Windows Authentication for SQL Server]]
* [[Security/Authentication_Apis|Authenticating your APIs]]
* [[Security/Security_Faq|Security FAQ]]
* [[Security/Role_Based_Access|Role Based Access Control (RBAC)]]

[[Category:Rate_Limiting]]
[[Category:Api_Limits]]
[[Category:Throttling]]
[[Category:Security]]

[[Category:Security]]
Return to [Security/Rate Limiting](/Security/Rate_Limiting).

Retrieved from "[https://wiki.dreamfactory.com/Security/Rate_Limiting](https://wiki.dreamfactory.com/Security/Rate_Limiting)"