Enable rate limiting on a per-user / per-client basis Open ID

Hi everyone!

I need to configure the rate limit by users on every API, but when is configured by policy and try to fetch with different users, the rate limit is set on the entire API. someone can guidme to set up this configuration. We use Open ID Authentication.

I tried on global rate limit in the API config, and by policies (both in separated test). is checked the checkbox in authetication, with this description “Enable rate limiting on a per-user / per-client basis”.

Lot of thanks!

Hey @Kradev

Welcome to the community.

Rate limiting is tied to authentication, (whether that is auth tokens or JWTs, etc.)

You can set up a Javascript IP based rate limiter that will inject the IP address as a token.

This will allow Tyk to perform rate limiting for each user.

You can further complement the JS plugin with a global API rate limit, but this is across ALL API calls for this API.

Hi @Michael.m

we’ve an auth configured with policies, but the rate limit is triggered in the entire API and not by session of users, that’s correct?. is a setting up a Key-Level Per-API Rate Limit

the ip address inject is the unique way to control the rate limit per users?

Hi @Kradev,

You can use scope mapping to apply different rate limits. Integrate with OIDC

See here also: Dynamic Authorization Using JWT Scope Policies in Tyk - YouTube

See post on similar discussion: Filtering access using Keycloak roles - #2 by marvin

I believe @Kradev to a setting available to enable rate limiting on per-user / per-client basis if you use open id.
But there doesn’t seem to be a configure the setting itself and it ends up using the global limits

Hi @Kradev,

Welcome to the community :tada:

When a client is added, a corresponding policy is attached, and the rate limit defined in the policy is applied when the API is called with the client’s token. When adding multiple clients, different policies, with different rate limits can be attached as desired, and rate limit is enforced on a per-client basis.

I wonder if this clarifies?