User Community Service Desk Downloads
If you can't find the product or version you're looking for, visit

Rate Limiter

Available in version 14.5.2-patch2 and later.

A rate limiter for REST requests is a mechanism used to control the frequency at which clients can make requests to a RESTful API. In other words, it limits the number of requests a client can make within a specified time interval, which helps prevent misuse or overloading the server.

Various limits can be set based on the URI address and/or the HTTP method. In case the limiter gets overloaded, the 429 Too Many Requests response status code is returned.

General configuration

The following properties are defined in to configure the rate limiter:

  • ataccama.server.ratelimiter.enabled - If set to true, the rate limiter is turned on. By default, the rate limiter is not used (default value: false).

  • ataccama.server.ratelimiter.http.<limiter>.urls - Comma-separated list of URL prefixes. Can also contain the HTTP method.

    From the list provided, the most precise limiter is selected and the HTTP method is taken into consideration in case there are multiple patterns matched. If no URLs are matches, no limit is applied.

Configuration example

Assume we have the following configuration:


This means the following:

  • The apilimit-rest-get rate limiter is applied to GET requests to /api/rest/instance or api/rest/master.

  • The apilimit-rest-post rate limiter is applied to POST requests to /api/rest/instance or api/rest/master.

  • The apilimit-rest rate limiter is applied to all other requests to /api/rest.

  • There are no limits applied to other requests.

Resilience4j setup

The rate limiter is implemented using Resilience4j. To learn more about this library, see articles Guide to Resilience4j With Spring Boot and Resilience4j RateLimiter documentation.

Use these properties to control the behavior of the rate limiter:

  • resilience4j.ratelimiter.instances.<RateLimiterName>.limit-for-period - Sets the maximum allowed number of operations within a defined time period. For example, if you set the value to 10, a user can perform a maximum of 10 operations within the time period specified by the limit-refresh-period property.

  • resilience4j.ratelimiter.instances.<RateLimiterName>.limit-refresh-period - Determines the time period after which the limit for the number of operations is refreshed. For example, if you set the value to 1s, the limit for the number of operations is refreshed every second.

  • resilience4j.ratelimiter.instances.<RateLimiterName>.timeout-duration - Specifies how long to wait for a request to be processed before it’s considered a failure. If this period elapses, the request is considered unsuccessful.

  • resilience4j.ratelimiter.instances.<RateLimiterName>.register-health-indicator - Determines whether to register a health indicator for the specified rate limiter. If set to true, a health indicator is available within Spring Boot actuators, allowing you to monitor the rate limiter’s status. We recommend enabling it for debugging or monitoring purposes.

Was this page useful?