API Throttling can be described as the procedure of restricting the number of API Throttling that a user is able to make within an amount of time. A program called an API is an application programming interface (API) serves as a bridge between a user and software program. For instance when a user clicks”post” on social networks, the clicking triggers an API. The API communicates with the server on the internet for the media app and executes the task of posting. The user can be human or a different software program.
Companies use API Throttling to achieve various objectives like security, scalability and performance in monetization, authentication and availability.
6 Best Practices for Business Example to API Throttling
A Real-Life Example of API Throttling in Business
Let’s suppose that someone is looking for flights through the OTA (online agency for travel) agency)site. The OTA website gathers data from the user, including their the origin, destination, as well as the dates of travel. The website then utilizes APIs to retrieve the information about flights from GDS (Global Distribution System) such as Sabre as well as Amadeus.
Why do Businesses Need API Throttling?
APIs are among the most valuable assets of companies. APIs assist users of websites or mobile apps to complete their jobs. When the number of users increases, mobile or website begin to show signs of a slowdown in performance. This means that users with higher-quality connections or faster interfaces may have a better experience over others. API throttling is a smart solution to help organizations ensure that they are using their APIs.
API throttling is also a way to defend against denial of services (DoS) threat, in which an infected user makes huge quantities of requests that cause the downfall of the website or mobile app. As the number of internet users grows, companies need to put in place API throttle mechanisms to guarantee an appropriate use of the API, as well as data security and to prevent malicious attacks.
How Does API Throttling Work?
There are many methods for API throttles, these are the fundamental steps of any API throttle algorithm:
- An API is the method used by a user or client that connects to the web service or application.
- The API throttle logic determines whether the current request is greater than the amount of API calls.
- If the request falls within the limits If the request is within limits, the API works as normal and completes the task of the user.
- If the request is over the limit The API will return an error response to the user.
- The customer will be required to be patient for a specified period of time or pay for any additional API calls.
What Are the Major API Throttling Algorithms?
Leaky Bucket API Throttling Algorithm
This algorithm employs the first-in-first-out (FIFO) queue in order to store the requests that come in. The queue will be of an exact size. If the new API request or call is received, it’s added to the bottom of the queue. Every few days the algorithm removes requests from the front of the queue and then processes it. If a new application is made in the midst of a queue that is already filled, the request is deleted. This algorithm is closely linked to token bucket algorithms.
Advantages of Leaky Bucket
- Simple to use and easy
- Processing requests at a steady speed. Even in the event of an increase in calls, it’s clear that the server doesn’t get overwhelmed. In a sense this leaky bucket method softens the flow of output when there’s a tense flow of input.
Disadvantages of Leaky Bucket
- Because the leaky bucket method makes use of an FIFO queue it is possible of being starved. This means that if the queue is crowded and a request takes longer to process, the more recent requests could be discarded. This is due to the order in which processing of requests.
Fixed Window API Throttling Algorithm
The fixed window can handle N API calls made by the user during a certain time. For instance an algorithm with a fixed window permits 2 requests in a minute. Time frames are split into fixed frames of one minute duration. In the beginning of the period, an counter at zero. Each time a user requests the counter grows. If the counter is at the maximum limit prior to the timer expires, new requests are denied. Each hour, the counter will reset to zero.
In a typical implementation a fixed-window algorithm, every user will have an unique key as well as an associated counter to the key. When the fixed time window begins, the counter is reset. Fixed Time Window, the counter gets reset.
Advantage of Fixed Window
- Contrary to the leaky bucket method, a fixed-window algorithm is not likely to cause the deprivation of new requests because the counter is reset at the beginning of each time window.
Disadvantage of Fixed Window
- In the initial time period, there may be a surge in user’s requests. In the case of, for example when there is an hourly limit of 1000 requests that means all of the requests could be submitted within the beginning of the time window. This could cause a system overload.
Sliding Window API Throttling Algorithm
This algorithm addresses the issue of request-burst with the fixed window algorithm by launching the time-window when the request is made. For example, it is assumed that the system will only allow 2 requests per hour to the user. In contrast to the fixed window, the time window only begins after a user has completed his first request. The date and time of the first request is stored in an counter, and the user can make another request within the same minute.
Advantages of Sliding Window Algorithm
This algorithm for sliding windows is a combination of the benefits of leaky bucket algorithm and fixed window algorithm. It is able to eliminate the shortcomings of both algorithms. With the sliding window, younger requests don’t suffer. Contrary to the fixed window, the flurry of requests don’t overload the system.
What Are the Benefits of API Throttling?
API throttling is a method important to all companies that provide their services through APIs.
API throttles help prevent the loss of system performance through restricting the excessive use by an API. If an application is used by many users the system may receive a massive amount of API requests every second. Making sure to handle all of those API requests could slow the system, which will affect the performance. API throttling makes sure that every user is provided with the services promised in the service level contract (SLA).
An API throttle system functions as a gateway for an API. It can help prevent DoS (DoS) attack. In DoS the attacker makes large numbers of service requests, so that the service is unavailable to legitimate users. By limiting the number of requests for service, API throttling helps to stop DoS attacks.
Reduce Unintended/Malicious Use
In the event that an API discloses sensitive information because of a technical issue, APO throttling will limit the access of users to information through the hacked API.
Metering and Monetization
APIs are among the most valuable assets for companies. The ability to earn money from API use contributes a substantial portion of their profits. API throttling can help organizations measure the amount of usage they get from their APIs. For instance, a website service might offer free API call per hour however, if users require more calls per hour, they must be charged for the privilege.
API throttling is not a requirement. It can restrict the number of requests. Based on the access rights of the user, API throttles can grant users access to selected areas that comprise the API. For instance, based by the permissions of the user some users might be able to search for other users, while others may be able edit user information using the API.
What Are the Challenges of API Throttling?
Implementing API throttles in the context of a distributed system can be an extremely difficult task. If the application or service is hosted on multiple servers across the globe, the throttle should be implemented for the entire system. Each request from the same user may be routed to various servers. The API throttles logic is implemented on every node and has to be synchronized with the other in real-time. This could cause inconsistency and races.
In the following example the user has exhausted four requests of five requests within the second limit. Let’s suppose that the user makes two additional requests in the same time. They connect to two distinct servers. The rate limiter pulls the counter in the database, and it sees count=4 which lets the to call. While doing so it is the rate limiter that takes the database’s data and shows the count as 4. This is due to the fact that second rate limiter is able to pull the data from a common database prior to that the rate limiter update the count. Therefore, both requests are handled by the user, who receives six requests per second.
Solution: API throttle systems use different solutions to overcome inconsistency or race conditions. One approach to implement API throttles for distributed platforms is to employ sticky sessions. This method ensures that every request from the user are served by a specific server. This method, however, isn’t well-balanced or fault-tolerant.
Another solution for API throttles in distributed systems is locking. In the example above in which the rate limiter first attempts to access the database it blocks the count. When it isn’t able to unlock the count then another rate limiter won’t be in a position to access the count. First rate limiter will unlock the count once the counter is changed to five. Another option is to ease rates. This option allows the addition of a certain amount of request per second.