Apidays Paris 2023 - Software and APIs for Smart, Sustainable and Sovereign Societies
December 6, 7 & 8, 2023
Not Your Grandma’s Rate Limiting
Meenakshi Dhanani, Developer Relations Engineer, GraphQL at Postman
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
5. Rate Limiting
● Minimize load
Rate limiting enforces a controlled flow of
requests, preventing system congestion and
downtime due to excessive demand.
● Ensure fair usage
Rate limiting ensures fair usage by setting
predefined limits on how often each client or user
can access resources, preventing any single
entity from monopolizing the system's resources.
Safeguards against bursts of incoming traffic
@getpostman @mdhananii
6. An API rate limit is essentially a
way for Shopify to ensure
stability of the platform
Zameer Masjedee
Office of the President, Technology Lead at Shopify
“
@getpostman @mdhananii
10. @getpostman @mdhananii
Query Cost Analysis
● Type complexity
Type complexity reflects the size of the data retrieved
by a query.
● Resolve complexity
Resolve complexity reflects the server’s query
execution cost
Shopify Engineering Blog
11. @getpostman @mdhananii
Benefits of Cost Analysis for Service Providers
● Inform load balancing
Distribute incoming queries across server instances
based on their complexity, ensuring even processing
and preventing overloading of resources.
● Resolver resource allocation
Developers can allocate resources more effectively,
optimize resolver functions, and prioritize high-impact
queries, resulting in better overall performance and
efficient use of server resources.
● Threat prevention
Attackers are discouraged from crafting overly
complex or deeply nested queries that could degrade
server performance or cause denial-of-service
attacks.
● Monetization
Pricing based on the execution cost or response size.
17. @getpostman @mdhananii
Key Considerations
● Introspection Queries
Ensuring that introspection queries are subject to rate
limiting or handled separately is crucial for security.
● Pagination
Pagination arguments significantly impact cost
calculation. The same field with different pagination
sizes can have vastly different costs.
● Upper Bound vs Actual Response
When clients request a large number of items, but the
actual response contains fewer items, there's a
potential mismatch between the charged cost and the
delivered value
● Complexity Calculation Overhead
The process of calculating query complexity itself can
introduce overhead, especially for deeply nested
queries.
22. @getpostman @mdhananii
No Right Answer
Examples illustrate a good rate limiting strategy
consists of not one but a combination of all these
techniques.
23. @getpostman @mdhananii
Traditional Architecture for Rate Limiting
● Gateways/Routers
API gateways can centralize the management
of APIs, making it easier to control access,
monitor traffic, and troubleshoot problems.
25. @getpostman @mdhananii
Implementation Strategies
● Compilers
A compiler transforms GraphQL queries into an
optimized representation. This representation can
then be used to implement rate limiting more
efficiently.
● Machine Learning Approach
Machine learning can be used to learn the patterns of
legitimate and malicious traffic. This information can
then be used to optimize the rate limiting rules to
better protect the API from abuse.
26. During this session, we learned:
● What is rate limiting APIs?
● Why is rate limiting for GraphQL different from other APIs?
● Query cost analysis - techniques, examples
● Peek into future strategies
Recap
@getpostman @mdhananii
28. API Rate Limits and Working with GraphQL
https://www.shopify.com/partners/blog/graphql-rate-limits
A Guide to GraphQL Rate Limiting and Security
https://xuorig.medium.com/a-guide-to-graphql-rate-limiting-security-e62a86ef8114
Why does GraphQL need cost analysis? | Morris Matsa
https://mmatsa.com/blog/why-cost-analysis/
A Principled Approach to GraphQL Query Cost Analysis
https://arxiv.org/pdf/2009.05632.pdf
Additional Resources
@getpostman @mdhananii