What's the difference between the limits at the top level of API keys and those set in the "access_rights" object?

API Keys have top-level fields of “rate”, “per”, “quota_remaining” etc. as well as the ones within the “access_rights” objects:

GET /tyk/keys/{api_key}

{
    ...
    "rate": 30,
    "per": 30,
    "quota_max": 20,
    "quota_renews": 0,
    "quota_remaining": 0,
    "quota_renewal_rate": 60,
    "access_rights": {
        "my-api": {
            "api_name": "My API",
            "api_id": "my-api",
            "versions": [
                "Default"
            ],
            "allowed_urls": [],
            "restricted_types": null,
            "limit": {
                "rate": 30,
                "per": 30,
                "throttle_interval": 0,
                "throttle_retry_limit": 0,
                "max_query_depth": 0,
                "quota_max": 20,
                "quota_renews": 0,
                "quota_remaining": 20,
                "quota_renewal_rate": 60
            },
            "field_access_rights": null,
            "allowance_scope": ""
        }
    },
    "org_id": "my-org",
    "is_inactive": false,
    "apply_policy_id": "",
    "apply_policies": [
        "my-api-silver"
    ],
    ...
}

Which API do those top-level limits refer to and how are they applied when you have multiple APIs listed in your “access_rights” object (because you have multiple “apply_policies” listed)?

Hi @flyte ,

Which API do those top-level limits refer to and how are they applied when you have multiple APIs listed in your “access_rights” object (because you have multiple “apply_policies” listed)?

Rate limits are documented here and in particular the interplay between API rate limits and key rate limits.

When rate limiting measures are put in place, they are assessed in this order (if applied):
API-level global rate limit
Key-level global rate limit
Key-level per-API rate limit

But that doesn’t answer all of your question. When a policy is applied, its rate limits override they ones in the key.

When applying multiple policies they should be partitioned so that only one specifies the rate limit for the API

Cheers,
Pete