Setting Up Rate Limiting for Endpoints

Introduction

Zen by Aikido allows you to set up rate limiting on route endpoints to protect your application from abuse, such as preventing excessive password reset requests. You can rate limit, webpages, REST API endpoints as well as GraphQL APIs.

Check the functionality support matrix to see if your framework supports rate limiting.

Supported Functionality

Set rate limiting on specific endpoints
Set rate limiting on multiple endpoints by adding a wildcard* endpoint
Set rate limiting on IP address or user ID
Disable protection for a specific endpoint instead disabling protection for your entire app.

Rate limiting is based on individual IP addresses or user identification.
For example, if the limit is 10 requests per minute:

❌ Blocked: A single IP making 11 requests will be
✅ Allowed: 11 different IPs making one request each

This helps prevent abuse while allowing normal traffic from multiple users.

How to set up rate limiting

Step 1: Navigate to a specific app and open the Endpoints tab

Step 2: Open Action Menu of the specific endpoint you wish to apply rate limiting to. Clicking Setup rate limiting will open a modal.

Step 3: Enable Rate Limiting and specify the number of requests allowed per timeframe. Save by updating the endpoint.

Config changes take up to 1 minute to take effect.

Setting up rate limiting for multiple endpoints at once

You can set up rate limiting for multiple endpoints at once by adding a wildcard endpoint.

Step 1. On the endpoints page, click Add Endpoint.

Step 2. Add a wildcard endpoint by adding an * in the route.

Step 3. The wildcard will appear now in the list. Proceed to set up rate limiting the same way as above.

Blocking vs Detection Mode in Zen

Monitor Outbound Domains