How do I rate limit a public API?

2019-02-24 08:22发布

问题:

I have an algorithm that receives input and delivers output which I would like developers to use like an API. To prevent denial of service attack and excessive overuse, I want some rate limits or protection. What options do I have? Do I provide accounts and API keys? How would that generally work? And what other ideas are possible for this scenario?

回答1:

Accounts and API keys does sound like a good idea, if nothing else it stops people other than your intended developers being able to access your API.

It should be fairly straightforward to have a simple database table logging the last time a particular API was accessed, and denying re-use if it is accessed too many times in a certain time frame. If possible, return the next time the API will be available for re-use in the output, so developers can throttle accordingly, instead of having to go for a trial and error approach.

Are you expecting the same inputs to be used over and over again or will it be completely random? What about caching the output and only serving the cache to the developer(s) until the API is ready for re-use? This approach is far less dependent on accounts and keys too.



回答2:

API keys can definitely be a good way to go, there is also openAuth (http://oauth.net) if you scenarios where end users will be accessing the service via apps built by third parties.

If you don't want to code the rate limits / key management yourself, it's worth taking a look at http://www.3scale.net/ which does a lot of this free out of the box as a service (plus other stuff including a developer portal, billing and so on). As a disclaimer, I work there so I might have some bias but we try to make exactly this as simple as possible!

I should add, there's a PHP plugin for 3scale which you can drop into your code and that'll enable all the rate limits etc.



回答3:

other options that are slightly less complex at the expense of accuracy is using the ip address. obviously this is easier to overcome, but for the average user that does not know what an ip address is it works. Also easy to set up.

it all depends on the complexity of the app and the amount of time you got to do it in