Implementing Request Throttling with WSO2 API Manager

Implementing Request Throttling with WSO2 API Manager

In the landscape of API management, ensuring the smooth operation and scalability of APIs is crucial. WSO2 API Manager (WSO2 APIM) offers robust solutions for managing, securing, and throttling APIs. Throttling, specifically, is a vital feature that helps in maintaining the service's efficiency and preventing API overuse. This post will guide you through the process of setting up request throttling with WSO2 APIM, which allows you to limit the number of API calls a user can make within a specified time. For example, you might want to restrict access to a custom profile API to 100 requests per minute.

WSO2 APIM Components

WSO2 APIM is comprised of several components, each serving a specific function:

  1. API Gateway: Routes API traffic, enforces policies like throttling, and provides security checks.

  2. Key Manager: Handles client authentication and token management.

  3. API Publisher: Allows API providers to publish APIs, share documentation, and more.

  4. Developer Portal: Enables consumers to self-register, discover API functionality, and subscribe to APIs.

  5. Traffic Manager: Manages rate limiting and throttling policies and decisions.

Additional Setup

  • Between WSO2 Identity Server (WSO2 IS) and WSO2 API Gateway (WSO2 MGW), the API Publisher is used to publish and create APIs, the Developer Portal is utilized to expose these APIs externally, and the Traffic Manager acts as the administration portal.

Throttling Mechanism

Throttling in WSO2 APIM is managed through the Traffic Manager component, which handles the rate-limiting policies as dictated by the API Publisher settings. When an API is created in the Publisher and subsequently tested and run through the Developer Portal, throttling settings are enforced at the API Gateway.

Example Scenario:

Suppose you configure an API to have a throttling limit of 100 requests per minute. Once this threshold is reached, WSO2 APIM instructs the API Gateway to block any further requests, typically by issuing an HTTP 429 "Too Many Requests" error message.

Operational Flow:

  1. A request is made to the API through the Gateway.

  2. The API Gateway checks with the APIM to see if the request count for the given API has exceeded the threshold.

  3. If the threshold is exceeded, the APIM signals the Gateway to deny further requests, enforcing the throttling policy.

What Happens if WSO2 APIM Goes Down?

It is important to understand the resilience of the system. If WSO2 APIM were to experience downtime, the existing requests would still be caught by the API Gateway but throttling would not occur until the connection is re-established. This ensures that API availability is maintained, although without rate limiting.

Setting Up Throttling

Here’s how to configure throttling policies in WSO2 APIM:

  1. Log into the Admin Portal: Start by logging into the WSO2 APIM Admin Portal. This is typically accessed via the Traffic Manager component.

  2. Define Throttling Policies: Navigate to the throttling policy section within the dashboard. Here, you can set various limits for different APIs. For instance, you might set a policy to allow 100 requests per minute for a specific API (this is a example).

  3. Apply Policies to APIs: When defining or editing an API using the API Publisher, specify the desired throttling limit (e.g., 100 requests/min) in the API’s swagger definition. This links the API to the throttling policy.

  4. Testing: Once configured, you can test the API using the Developer Portal to ensure the throttling is functioning as expected.


Throttling is a key aspect of API management that helps prevent abuse and ensures fair use of APIs among consumers. WSO2 APIM provides all the necessary tools to effectively manage request rates through comprehensive policies and real-time traffic management. By following the steps outlined above, organizations can safeguard their APIs against potential overuse, thereby enhancing the overall reliability and performance of their digital services.