Today, I am going to talk about the rate-limiting of different APIs provided by Sitecore Send.
Firstly, let's understand what API rate limiting is, why it is important for your solution, and what the common ways are to implement rate limiting for API in C#.
API rate limiting is an important and crucial concept in software development, especially when designing and building scalable and efficient systems. It simply controls how often one can make certain calls on an API within the given timeframe. This makes sure that the service remains stable and performs well against misuse or extreme usage.
What is API Rate Limiting?
API rate limiting is a technique that is used to control how many API requests the server can accept from a client over a certain period of time. It can be likened to an API traffic jam where if too many requests go into the server, then the server may crash or slow down severely. In case the client hits this limitation allowed, it returns an error response and it happens to be HTTP 429, too many requests.
For example, if a limit of 20 requests per minute is established, a client can make up to 20 requests within 60 seconds. If such limits are exceeded, all requests that are made later during that minute might be refused until the rate restriction has elapsed again.
Why API Rate Limiting is Important
Protect Server - It helps to limit the excessive load on the servers so that it will not become too slow or even sometimes crash due to heavy user traffic.
Avoid Spamming and Spoofing - It prevents malicious users from over-requesting the server and hence allows real users to have easy access to the services.
Cost Management - APIs cost for every request especially if it is a third-party or cloud-based service. Rate limiting stops unwarranted spikes in usage, which helps in controlling costs.
Defining Fair Usage - Multi-tenant systems need to be designed in such a way that not one client utilizes the resources more than the other. For it to be fair, there should be rate limiting of the system end.
Improved User Experience - A well-implemented rate-limiting strategy can maintain fast response times and prevent downtime which leads to a better experience for end-users.
Different Ways of Implementing API Rate Limiting in C#
Client-Side Rate Limiting - Server-side throttling can be simulated on the client side by using mechanisms such as Task. Delay or similar mechanism can be used in the C# code, which introduces delays between consecutive requests.
Server-Side Middleware - Use middleware in ASP.NET Core Web API to limit the number of requests from each client.
Token Bucket Algorithm - API should use the Token Bucket algorithm, to limit how many requests it will accept. The algorithm "fills" a bucket with tokens at a fixed rate, with each request using one token. If no tokens are available, the request is refused or denied.
Redis-Based Rate Limiting - This method stores the rate limit counters in Redis. This is very convenient in distributed environments where several servers require the same rate-limit information.
API Gateway Rate Limiting - In this method, the rate-limiting policies are configured directly by the gateway on the front end using AWS API Gateway service, Azure's API Management, or Kong API Gateway. This is the method of configuring rate-limiting policies within the gateway instead of in the C# code.
Sitecore Send API Rate Limiting
The Sitecore Send API enforces rate limiting to prevent the API from being overwhelmed by too many requests. This means that it allows only a certain number of API calls from users within a given time. If a user sends too many requests, API rate limiting can throttle client connections.
The below table describes the current rate limit (number of requests per 10 seconds) per user (per API key):
Below is an example of a response when request submissions exceed the rate limit. When you go over the rate limit, you receive a RATE_LIMITING error in the response body.
Note: The status code returned from the API is 200, yet the code from the response you receive back from the API is 429.
References
API Rate Limiting in Sitecore Send - https://doc.sitecore.com/send/en/developers/api-documentation/api-rate-limiting.html
API Rate Limiting in C# - https://www.c-sharpcorner.com/article/implement-rate-limiting-in-asp-net-core-web-api