Rate limiting at endpoint level

Anup_Rai · June 16, 2025, 1:54pm

Hi All,

I am trying to configure rate limiting at endpoint level in Tyk but not able to achieve it.

Below is my API payload for this -

{
    "api_id": "b84fe1a04e5648927971c0557971565c",
    "use_keyless": true,
    "definition": {
        "key": "version",
        "location": "header"
    },
    "name": "Tyk Test API",
    "org_id": "664a14650619d40001f1f00f",
    "proxy": {
        "listen_path": "/tyk-api-test/",
        "strip_listen_path": true,
        "target_url": "https://httpbin.org"
    },
    "global_rate_limit": {
        "disabled": false,
        "rate": 10,
        "per": 60
    },
    "version_data": {
      "not_versioned": true,
      "versions": {
        "default": {
          "name": "default",
          "use_extended_paths": true,
          "extended_paths": {
            "rate_limit": [
              {
                "disabled": false,
                "path": "anything",
                "method": "GET",
                "limit": 2,
                "per": 60,
                "distributed": false
              },
              {
                "disabled": false,
                "path": "anything",
                "method": "POST",
                "limit": 5,
                "per": 60,
                "distributed": false
              }
            ]
          }
        }
      }
    }
}

When I am testing this API with GET and POST I dont see rate limit is getting applied.

Also when I do “GET /tyk/apis/b84fe1a04e5648927971c0557971565c” I am not able to see rate_limit section in response.

I am referring to below docs links for reference -

Please let me know if I am missing anything here.

Andres_Tubelleja_III · June 30, 2025, 8:44am

Hi @Anup_Rai ,

Looking at your API definition, it looks like you are using “limit” instead of “rate” as per our documentation. Kindly change the rate_limit in your Tyk Dashboard API Raw Editor to the following:

"rate_limit": [
  {
    "disabled": false,
    "path": "anything",
    "method": "GET",
    "rate": 2,
    "per": 60
  },
  {
    "disabled": false,
    "path": "anything",
    "method": "POST",
    "rate": 5,
    "per": 60
  }
]

You should be able to confirm the rate_limit being applied when you:

Call the GET /anything endpoint 3 times within 60s
Call the POST /anything endpoint 6 times within 60s

Regarding this, can you clarify the error or response you are receiving?
If it’s the 403 “Attempted administrative access with invalid or missing key!” error, you need to pass the x-tyk-authorization header along with your Tyk Gateway Secret as the value.
If you are getting the JSON object of the API as a response, this should be the same as when you view the API definition via Raw Editor, and the rate_limit object should be found under api_definition.version_data.versions.default.extended_paths.rate_limit.

If you’re getting any other response aside from the above, kindly let us know by providing it here.

Hope this helps!