Changelog NotificationsAPIAikido login

Setting Up Rate Limiting for Endpoints

Introduction

Zen Firewall by Aikido allows you to set up rate limiting on route endpoints to protect your application from abuse, such as preventing excessive password reset requests. You can rate limit, webpages, REST API endpoints as well as GraphQL APIs.

Check the functionality support matrix to see if your framework supports rate limiting.

Supported Functionality

  • Set rate limiting on specific endpoints

  • Set rate limiting on multiple endpoints by adding a wildcard* endpoint

  • Set rate limiting on IP address or user ID, or a custom group ID (e.g. company ID for B2B SaaS)

  • Disable protection for a specific endpoint instead disabling protection for your entire app.

  • Localhost or 127.0.0.1 is never rate limited

Rate limiting is based on individual IP addresses or user identification. For example, if the limit is 10 requests per minute:

  • Blocked: A single IP making 11 requests will be

  • Allowed: 11 different IPs making one request each

This helps prevent abuse while allowing normal traffic from multiple users.

How to set up rate limiting

Step 1: Navigate to a specific app and open the Endpoints tab

API endpoints management interface showing method, route, app name, rate limiting, and status.

Step 2: Open Action Menu of the specific endpoint you wish to apply rate limiting to. Clicking Setup rate limiting will open a modal.

Rate limiting settings with protection enabled and action options menu displayed.

Step 3: Enable Rate Limiting and specify the number of requests allowed per timeframe. Save by updating the endpoint.

Enable and configure rate limiting for PATCH requests to /api/v2/posts/:number.

Config changes take up to 1 minute to take effect.

Setting up rate limiting for multiple endpoints at once

You can set up rate limiting for multiple endpoints at once by adding a wildcard endpoint.

Step 1. On the endpoints page, click Add Endpoint.

API endpoint table showing route, app name, rate limiting, and protected status.

Step 2. Add a wildcard endpoint by adding an * in the route.

Add an API endpoint with rate limiting in Aikido Firewall settings.

Step 3. The wildcard will appear now in the list. Proceed to set up rate limiting the same way as above.

POST /auth/* endpoint: Demo app, 10 requests/min, Protected status.

How it works

Order of operations

Aikido Zen enforces rate limits in the following order of priority:

  1. Group level

  2. User level

  3. IP level

Once a request is rate limited at a higher level (e.g., group), the lower levels (user or IP) are not evaluated.

Sliding window

Tracks events using a moving time frame that continuously slides forward. Unlike fixed windows that reset at specific times, sliding windows maintain a rolling count of the most recent period (e.g., last 60 seconds). This prevents edge cases where brief traffic spikes could bypass limits at window boundaries.

Route selection (wildcards)

Zen will first select the exact route match (without wildcards) to apply a rate limit. If no exact route is found wildcard matches are applied based on the lowest limit. Only one limit is applied at any given time, a single requests will never hit multiple limits.

Group-based rate limiting

To limit the number of requests for a group of users, you can use the setRateLimitGroup function. This is useful if you want to limit the number of requests per team or company. Please note that if a rate limit group is set, the configured rate limits are only applied to the group and not to individual users or IP addresses.

Available for:

  • Node.js

  • Other agents will follow soon

Last updated

Was this helpful?