Rate Limiting
Endpoint Manager Pro lets you set request thresholds at the global level and per individual endpoint. When a client exceeds the limit, their requests are blocked automatically — and repeat offenders can be added to the IP Block List without any manual intervention.
What It Does
Rate limiting controls how many requests a single IP address can make within a given time window. You configure a global threshold that applies to all endpoints by default, then optionally override it on a per-endpoint basis for routes that need tighter or looser limits.
When a client exceeds the allowed request count, subsequent requests receive a configurable HTTP error response. If the same IP continues to exceed limits, it can be auto-blocked — adding it to the IP Block List so all future requests are denied until you manually unblock it.
Key Capabilities
- Global request threshold — applies to all endpoints by default
- Per-endpoint overrides — set tighter limits on sensitive routes or loosen them on high-traffic ones
- Configurable time window for rate limit calculation
- Auto-block IPs that repeatedly exceed thresholds
- Works alongside the IP Block List — allowlisted IPs bypass rate limits entirely
- Blocked requests are logged in the security logs with full request details
How to Use It
Navigate to Endpoint Manager → Settings to configure the global rate limit threshold. To set a per-endpoint limit, find the endpoint in the main list and adjust its individual threshold. When auto-block is enabled, IPs that exceed the limit are automatically added to the Block List.
Monitor rate-limited requests in the security logs to identify patterns and fine-tune your thresholds over time.
Why It Matters
Without rate limiting, a single client can hammer your REST API with thousands of requests — degrading performance for legitimate users, inflating server costs, and potentially exposing data through brute-force enumeration. Rate limiting puts a ceiling on abuse while keeping your API accessible to normal traffic.
Combined with auto-block, rate limiting becomes a self-defending system: abusive IPs are identified and cut off automatically, reducing the need for constant manual monitoring.
Frequently Asked Questions
Does rate limiting affect logged-in administrators?
Rate limits apply to all requests by IP address. To exempt your own IP or trusted services, add them to the IP Allowlist so they bypass all rate limit and block rules.
What happens when a client hits the rate limit?
The request receives an HTTP error response with a configurable status code and message. The event is recorded in the security logs. If auto-block is enabled and the IP continues to exceed limits, it is added to the Block List.
Can I set different limits for different endpoints?
Yes. The global threshold provides a baseline, and you can override it on any individual endpoint. This lets you apply stricter limits to sensitive write endpoints while allowing more requests to read-only routes.