Non-expected behaviour of Rate Limiting in key with multiple API

I am using Open Source Tyk(Gateway)
I have created a key with gives access to multiple APIs
So basically in key for rate we have one parameter
but in case of multiple API, in API under access_rights we have limit object in which we can set rate, quota ,etc. I have set that (below is the JSON of it) but rate limiting on individual basis is getting applied because all API in the key is accepting same number of requests in case of rate limiting

Key payload

{
    "last_check": 0,
    "allowance": 0,
    "rate": 10,
    "per": 50,
    "throttle_interval": 0,
    "throttle_retry_limit": 0,
    "max_query_depth": 0,
    "date_created": "2022-02-08T12:22:01.1904417Z",
    "expires": 0,
    "quota_max": 0,
    "quota_renews": 1644322921,
    "quota_remaining": 0,
    "quota_renewal_rate": 0,
    "access_rights": {
        "e34967cf-743d-4646-a208-c102d35c548d": {
            "api_name": "limittest",
            "api_id": "e34967cf-743d-4646-a208-c102d35c548d",
            "versions": ["default"],
            "allowed_urls": null,
            "restricted_types": null,
            "limit": {
                "rate": 3,
                "per": 10,
                "throttle_interval": 0,
                "throttle_retry_limit": 0,
                "max_query_depth": 0,
                "quota_max": -1,
                "quota_renews": 0,
                "quota_remaining": 0,
                "quota_renewal_rate": 3600,
                "set_by_policy": false
            },
            "field_access_rights": null,
            "allowance_scope": ""
        },
        "7c729c71-c38e-4034-8564-527584d5c920": {
            "api_name": "limittest2",
            "api_id": "7c729c71-c38e-4034-8564-527584d5c920",
            "versions": ["default"],
            "allowed_urls": null,
            "restricted_types": null,
            "limit": {
                "rate": 5,
                "per": 15,
                "throttle_interval": 0,
                "throttle_retry_limit": 0,
                "max_query_depth": 0,
                "quota_max": -1,
                "quota_renews": 0,
                "quota_remaining": 0,
                "quota_renewal_rate": 3600,
                "set_by_policy": false
            },
            "field_access_rights": null,
            "allowance_scope": ""
        }
    },
    "org_id": "",
    "oauth_client_id": "",
    "oauth_keys": null,
    "certificate": "",
    "basic_auth_data": {
        "password": "",
        "hash_type": ""
    },
    "jwt_data": {
        "secret": ""
    },
    "hmac_enabled": false,
    "enable_http_signature_validation": false,
    "hmac_string": "",
    "rsa_certificate_id": "",
    "is_inactive": false,
    "apply_policy_id": "",
    "apply_policies": null,
    "data_expires": 0,
    "monitor": {
        "trigger_limits": null
    },
    "enable_detail_recording": false,
    "enable_detailed_recording": false,
    "meta_data": {},
    "tags": [],
    "alias": "",
    "last_updated": "1644322921",
    "id_extractor_deadline": 0,
    "session_lifetime": 0
}

Key data JSON when I perform get action on it

    "last_check": 0,
    "allowance": 0,
    "rate": 10,
    "per": 50,
    "throttle_interval": 0,
    "throttle_retry_limit": 0,
    "max_query_depth": 0,
    "date_created": "2022-02-21T15:23:59.6427353Z",
    "expires": 0,
    "quota_max": 0,
    "quota_renews": 1645457039,
    "quota_remaining": 0,
    "quota_renewal_rate": 0,
    "access_rights": {
        "7c729c71-c38e-4034-8564-527584d5c920": {
            "api_name": "limittest2",
            "api_id": "7c729c71-c38e-4034-8564-527584d5c920",
            "versions": [
                "default"
            ],
            "allowed_urls": null,
            "restricted_types": null,
            "limit": {
                "rate": 5,
                "per": 15,
                "throttle_interval": 0,
                "throttle_retry_limit": 0,
                "max_query_depth": 0,
                "quota_max": -1,
                "quota_renews": 0,
                "quota_remaining": 0,
                "quota_renewal_rate": 3600
            },
            "field_access_rights": null,
            "allowance_scope": ""
        },
        "e34967cf-743d-4646-a208-c102d35c548d": {
            "api_name": "limittest",
            "api_id": "e34967cf-743d-4646-a208-c102d35c548d",
            "versions": [
                "default"
            ],
            "allowed_urls": null,
            "restricted_types": null,
            "limit": {
                "rate": 3,
                "per": 10,
                "throttle_interval": 0,
                "throttle_retry_limit": 0,
                "max_query_depth": 0,
                "quota_max": -1,
                "quota_renews": 0,
                "quota_remaining": 0,
                "quota_renewal_rate": 3600
            },
            "field_access_rights": null,
            "allowance_scope": ""
        }
    },
    "org_id": "",
    "oauth_client_id": "",
    "oauth_keys": null,
    "certificate": "",
    "basic_auth_data": {
        "password": "",
        "hash_type": ""
    },
    "jwt_data": {
        "secret": ""
    },
    "hmac_enabled": false,
    "enable_http_signature_validation": false,
    "hmac_string": "",
    "rsa_certificate_id": "",
    "is_inactive": false,
    "apply_policy_id": "",
    "apply_policies": null,
    "data_expires": 0,
    "monitor": {
        "trigger_limits": null
    },
    "enable_detail_recording": false,
    "enable_detailed_recording": false,
    "meta_data": {},
    "tags": [],
    "alias": "",
    "last_updated": "1645457039",
    "id_extractor_deadline": 0,
    "session_lifetime": 0
}

limitTest API definition

{
    "name": "limitTest",
    "slug": "",
    "listen_port": 0,
    "protocol": "",
    "enable_proxy_protocol": false,
    "api_id": "e34967cf-743d-4646-a208-c102d35c548d",
    "org_id": "",
    "use_keyless": false,
    "use_oauth2": false,
    "use_openid": false,
    "openid_options": {
        "providers": null,
        "segregate_by_client": false
    },
    "oauth_meta": {
        "allowed_access_types": null,
        "allowed_authorize_types": null,
        "auth_login_redirect": ""
    },
    "auth": {
        "use_param": false,
        "param_name": "",
        "use_cookie": false,
        "cookie_name": "",
        "auth_header_name": "",
        "use_certificate": false,
        "validate_signature": false,
        "signature": {
            "algorithm": "",
            "header": "",
            "secret": "",
            "allowed_clock_skew": 0,
            "error_code": 0,
            "error_message": ""
        }
    },
    "auth_configs": null,
    "use_basic_auth": false,
    "basic_auth": {
        "disable_caching": false,
        "cache_ttl": 0,
        "extract_from_body": false,
        "body_user_regexp": "",
        "body_password_regexp": ""
    },
    "use_mutual_tls_auth": false,
    "client_certificates": null,
    "upstream_certificates": null,
    "pinned_public_keys": null,
    "enable_jwt": false,
    "use_standard_auth": true,
    "use_go_plugin_auth": false,
    "enable_coprocess_auth": false,
    "jwt_signing_method": "",
    "jwt_source": "",
    "jwt_identity_base_field": "",
    "jwt_client_base_field": "",
    "jwt_policy_field_name": "",
    "jwt_default_policies": null,
    "jwt_issued_at_validation_skew": 0,
    "jwt_expires_at_validation_skew": 0,
    "jwt_not_before_validation_skew": 0,
    "jwt_skip_kid": false,
    "jwt_scope_to_policy_mapping": null,
    "jwt_scope_claim_name": "",
    "notifications": {
        "shared_secret": "",
        "oauth_on_keychange_url": ""
    },
    "enable_signature_checking": false,
    "hmac_allowed_clock_skew": 0,
    "hmac_allowed_algorithms": null,
    "request_signing": {
        "is_enabled": false,
        "secret": "",
        "key_id": "",
        "algorithm": "",
        "header_list": null,
        "certificate_id": "",
        "signature_header": ""
    },
    "base_identity_provided_by": "",
    "definition": {
        "location": "",
        "key": "",
        "strip_path": true
    },
    "version_data": {
        "not_versioned": false,
        "default_version": "default",
        "versions": {
            "default": {
                "name": "default",
                "expires": "",
                "paths": {
                    "ignored": null,
                    "white_list": null,
                    "black_list": null
                },
                "use_extended_paths": true,
                "extended_paths": {},
                "global_headers": null,
                "global_headers_remove": [
                    "Authorization"
                ],
                "global_response_headers": null,
                "global_response_headers_remove": null,
                "ignore_endpoint_case": false,
                "global_size_limit": 0,
                "override_target": ""
            }
        }
    },
    "uptime_tests": {
        "check_list": null,
        "config": {
            "expire_utime_after": 0,
            "service_discovery": {
                "use_discovery_service": false,
                "query_endpoint": "",
                "use_nested_query": false,
                "parent_data_path": "",
                "data_path": "",
                "port_data_path": "",
                "target_path": "",
                "use_target_list": false,
                "cache_timeout": 0,
                "endpoint_returns_list": false
            },
            "recheck_wait": 0
        }
    },
    "proxy": {
        "preserve_host_header": false,
        "listen_path": "/limittest/",
        "target_url": "http://httpbin.org",
        "disable_strip_slash": false,
        "strip_listen_path": true,
        "enable_load_balancing": false,
        "target_list": [],
        "check_host_against_uptime_tests": false,
        "service_discovery": {
            "use_discovery_service": false,
            "query_endpoint": "",
            "use_nested_query": false,
            "parent_data_path": "",
            "data_path": "",
            "port_data_path": "",
            "target_path": "",
            "use_target_list": false,
            "cache_timeout": 0,
            "endpoint_returns_list": false
        },
        "transport": {
            "ssl_insecure_skip_verify": false,
            "ssl_ciphers": null,
            "ssl_min_version": 0,
            "ssl_max_version": 0,
            "ssl_force_common_name_check": false,
            "proxy_url": ""
        }
    },
    "disable_rate_limit": false,
    "disable_quota": false,
    "custom_middleware": {
        "pre": null,
        "post": null,
        "post_key_auth": null,
        "auth_check": {
            "name": "",
            "path": "",
            "require_session": false,
            "raw_body_only": false
        },
        "response": null,
        "driver": "",
        "id_extractor": {
            "extract_from": "",
            "extract_with": "",
            "extractor_config": null
        }
    },
    "custom_middleware_bundle": "",
    "cache_options": {
        "cache_timeout": 0,
        "enable_cache": false,
        "cache_all_safe_requests": false,
        "cache_response_codes": null,
        "enable_upstream_cache_control": false,
        "cache_control_ttl_header": "",
        "cache_by_headers": null
    },
    "session_lifetime": 0,
    "active": true,
    "internal": false,
    "auth_provider": {
        "name": "",
        "storage_engine": "",
        "meta": null
    },
    "session_provider": {
        "name": "",
        "storage_engine": "",
        "meta": null
    },
    "event_handlers": {
        "events": null
    },
    "enable_batch_request_support": false,
    "enable_ip_whitelisting": true,
    "allowed_ips": [],
    "enable_ip_blacklisting": true,
    "blacklisted_ips": [],
    "dont_set_quota_on_create": false,
    "expire_analytics_after": 0,
    "response_processors": null,
    "CORS": {
        "enable": false,
        "allowed_origins": null,
        "allowed_methods": null,
        "allowed_headers": null,
        "exposed_headers": null,
        "allow_credentials": false,
        "max_age": 0,
        "options_passthrough": false,
        "debug": false
    },
    "domain": "",
    "certificates": null,
    "do_not_track": false,
    "tags": null,
    "enable_context_vars": false,
    "config_data": null,
    "tag_headers": null,
    "global_rate_limit": {
        "rate": 0,
        "per": 0
    },
    "strip_auth_data": false,
    "enable_detailed_recording": false,
    "graphql": {
        "enabled": false,
        "execution_mode": "",
        "version": "",
        "schema": "",
        "type_field_configurations": null,
        "playground": {
            "enabled": false,
            "path": ""
        },
        "engine": {
            "field_configs": null,
            "data_sources": null
        }
    }
}

limitTest2 API definition

{
    "name": "limitTest2",
    "slug": "",
    "listen_port": 0,
    "protocol": "",
    "enable_proxy_protocol": false,
    "api_id": "7c729c71-c38e-4034-8564-527584d5c920",
    "org_id": "",
    "use_keyless": false,
    "use_oauth2": false,
    "use_openid": false,
    "openid_options": {
        "providers": null,
        "segregate_by_client": false
    },
    "oauth_meta": {
        "allowed_access_types": null,
        "allowed_authorize_types": null,
        "auth_login_redirect": ""
    },
    "auth": {
        "use_param": false,
        "param_name": "",
        "use_cookie": false,
        "cookie_name": "",
        "auth_header_name": "",
        "use_certificate": false,
        "validate_signature": false,
        "signature": {
            "algorithm": "",
            "header": "",
            "secret": "",
            "allowed_clock_skew": 0,
            "error_code": 0,
            "error_message": ""
        }
    },
    "auth_configs": null,
    "use_basic_auth": false,
    "basic_auth": {
        "disable_caching": false,
        "cache_ttl": 0,
        "extract_from_body": false,
        "body_user_regexp": "",
        "body_password_regexp": ""
    },
    "use_mutual_tls_auth": false,
    "client_certificates": null,
    "upstream_certificates": null,
    "pinned_public_keys": null,
    "enable_jwt": false,
    "use_standard_auth": true,
    "use_go_plugin_auth": false,
    "enable_coprocess_auth": false,
    "jwt_signing_method": "",
    "jwt_source": "",
    "jwt_identity_base_field": "",
    "jwt_client_base_field": "",
    "jwt_policy_field_name": "",
    "jwt_default_policies": null,
    "jwt_issued_at_validation_skew": 0,
    "jwt_expires_at_validation_skew": 0,
    "jwt_not_before_validation_skew": 0,
    "jwt_skip_kid": false,
    "jwt_scope_to_policy_mapping": null,
    "jwt_scope_claim_name": "",
    "notifications": {
        "shared_secret": "",
        "oauth_on_keychange_url": ""
    },
    "enable_signature_checking": false,
    "hmac_allowed_clock_skew": 0,
    "hmac_allowed_algorithms": null,
    "request_signing": {
        "is_enabled": false,
        "secret": "",
        "key_id": "",
        "algorithm": "",
        "header_list": null,
        "certificate_id": "",
        "signature_header": ""
    },
    "base_identity_provided_by": "",
    "definition": {
        "location": "",
        "key": "",
        "strip_path": true
    },
    "version_data": {
        "not_versioned": false,
        "default_version": "default",
        "versions": {
            "default": {
                "name": "default",
                "expires": "",
                "paths": {
                    "ignored": null,
                    "white_list": null,
                    "black_list": null
                },
                "use_extended_paths": true,
                "extended_paths": {},
                "global_headers": null,
                "global_headers_remove": [
                    "Authorization"
                ],
                "global_response_headers": null,
                "global_response_headers_remove": null,
                "ignore_endpoint_case": false,
                "global_size_limit": 0,
                "override_target": ""
            }
        }
    },
    "uptime_tests": {
        "check_list": null,
        "config": {
            "expire_utime_after": 0,
            "service_discovery": {
                "use_discovery_service": false,
                "query_endpoint": "",
                "use_nested_query": false,
                "parent_data_path": "",
                "data_path": "",
                "port_data_path": "",
                "target_path": "",
                "use_target_list": false,
                "cache_timeout": 0,
                "endpoint_returns_list": false
            },
            "recheck_wait": 0
        }
    },
    "proxy": {
        "preserve_host_header": false,
        "listen_path": "/limittest2/",
        "target_url": "http://httpbin.org",
        "disable_strip_slash": false,
        "strip_listen_path": true,
        "enable_load_balancing": false,
        "target_list": [],
        "check_host_against_uptime_tests": false,
        "service_discovery": {
            "use_discovery_service": false,
            "query_endpoint": "",
            "use_nested_query": false,
            "parent_data_path": "",
            "data_path": "",
            "port_data_path": "",
            "target_path": "",
            "use_target_list": false,
            "cache_timeout": 0,
            "endpoint_returns_list": false
        },
        "transport": {
            "ssl_insecure_skip_verify": false,
            "ssl_ciphers": null,
            "ssl_min_version": 0,
            "ssl_max_version": 0,
            "ssl_force_common_name_check": false,
            "proxy_url": ""
        }
    },
    "disable_rate_limit": false,
    "disable_quota": false,
    "custom_middleware": {
        "pre": null,
        "post": null,
        "post_key_auth": null,
        "auth_check": {
            "name": "",
            "path": "",
            "require_session": false,
            "raw_body_only": false
        },
        "response": null,
        "driver": "",
        "id_extractor": {
            "extract_from": "",
            "extract_with": "",
            "extractor_config": null
        }
    },
    "custom_middleware_bundle": "",
    "cache_options": {
        "cache_timeout": 0,
        "enable_cache": false,
        "cache_all_safe_requests": false,
        "cache_response_codes": null,
        "enable_upstream_cache_control": false,
        "cache_control_ttl_header": "",
        "cache_by_headers": null
    },
    "session_lifetime": 0,
    "active": true,
    "internal": false,
    "auth_provider": {
        "name": "",
        "storage_engine": "",
        "meta": null
    },
    "session_provider": {
        "name": "",
        "storage_engine": "",
        "meta": null
    },
    "event_handlers": {
        "events": null
    },
    "enable_batch_request_support": false,
    "enable_ip_whitelisting": true,
    "allowed_ips": [],
    "enable_ip_blacklisting": true,
    "blacklisted_ips": [],
    "dont_set_quota_on_create": false,
    "expire_analytics_after": 0,
    "response_processors": null,
    "CORS": {
        "enable": false,
        "allowed_origins": null,
        "allowed_methods": null,
        "allowed_headers": null,
        "exposed_headers": null,
        "allow_credentials": false,
        "max_age": 0,
        "options_passthrough": false,
        "debug": false
    },
    "domain": "",
    "certificates": null,
    "do_not_track": false,
    "tags": null,
    "enable_context_vars": false,
    "config_data": null,
    "tag_headers": null,
    "global_rate_limit": {
        "rate": 0,
        "per": 0
    },
    "strip_auth_data": false,
    "enable_detailed_recording": false,
    "graphql": {
        "enabled": false,
        "execution_mode": "",
        "version": "",
        "schema": "",
        "type_field_configurations": null,
        "playground": {
            "enabled": false,
            "path": ""
        },
        "engine": {
            "field_configs": null,
            "data_sources": null
        }
    }
}

STRANGE BEHAVIOR OBSERVED :- Key which I get in with above mentioned Key playload, when I apply that key on limitTest2 first then both API works according to specified limit in access_rights limit parameter but when I apply generated key on limitTest API first then its same rate limit gets applied to both APIs

Update:- This issue is been resolved by adding allowance_scope = {apiId} in access_rights.{apiId}.limit

That’s great to hear @Shivam_Gupta. Happy you were able to self-resolve the issue.