Request throttling

The CatalystOne API Gateway applies rate limits and bandwidth quotas to all APIs, at both client and tenant levels. Rate limits protect against short, high-volume bursts, while quotas control call rates over longer periods of time.

Rate limits

The rate-limit policy prevents usage spikes by limiting the number of API calls allowed within a specified time window. When this limit is exceeded, the caller receives a 429 Too Many Requests response.

Because throttling is distributed across multiple systems, rate limiting is never perfectly precise. The difference between configured and actual request counts can vary depending on call volume, backend latency, and other factors.

Bandwidth quota

The bandwidth quota policy enforces either a renewable or lifetime cap on total call volume and/or bandwidth usage. When a quota is exceeded, the caller receives a 403 Forbidden response, including a Retry-After header that specifies how long to wait (in seconds) before retrying.