Rate limiting scenario on a per-key basis

Hi everyone.

Just thinking how best to do this. Assume I have 100 APIs all protected with JWT tokens issued by Auth0.

Furthermore, the azp claim in the JWT contains the identity of the application that is making the call to these APIs.

So I might have this scenario as an example:

  1. AZP = xxxxxx. Scope = “allow:API1 allow:API55 allow:API32”
  2. AZP = yyyyyy. Scope = “allow:API10 allow:API3 allow:API74 allow:API98”

Is there a way to get Tyk to perform

  1. Based on AZP=xxxx, only allow access to API1, 5, and 32. And for API1, set a rate limit of xx/hour, API2 set a rate limit of yy/hour, API3 set a rate limit of zz/hour.
  2. Based on AZP=yyyy, only allow access to API10, 3, 74, and 98. And for API10, set a rate limit of aa/hour, API3 set a rate limit of bb/hour, API74 set a rate limit of cc/hour, and API98 set a rate limit of dd/hour.

Should I do this instead?

  1. Create a policy called “CustomerA policy”. In this policy, configure which APIs it allows access to and at what rates (per-API).
  2. Configure Auth0 to insert a claim called “pol” that contains the policy-id of #1.

And voila, that’s it. Am I on the right track? That means whatever scopes that are present in the “scope” claim and the value in the “azp” claim are of no use because access and rate limits are already controlled by “CustomerA policy” ?

By the way, this is ONLY for client credentials grant type in OAuth 2.0 and the “azp” claim contains the client-id.

Hi @Jesum_Yip

We have seen you opened a support ticket for the same question and we have discussed this internally.

We would reply to you from there and share our response on the forum once addressed your enquiry