Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Apidays Paris 2023 - Not Your Grandma’s Rate Li...

apidays
December 29, 2023

Apidays Paris 2023 - Not Your Grandma’s Rate Limiting, Meenakshi Dhanani, Postman

Apidays Paris 2023 - Software and APIs for Smart, Sustainable and Sovereign Societies
December 6, 7 & 8, 2023

Not Your Grandma’s Rate Limiting
Meenakshi Dhanani, Developer Relations Engineer, GraphQL at Postman

------

Check out our conferences at https://www.apidays.global/

Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8

Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io

Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/

apidays

December 29, 2023
Tweet

More Decks by apidays

Other Decks in Programming

Transcript

  1. All rights reserved by Postman Inc Not Your Grandma’s Rate

    Limiting Meenakshi Dhanani Developer Relations Engineer, GraphQL
  2. Bonjour de l’Inde Meenakshi Dhanani (aka Meena) 󰏝 @mdhananii DEVELOPER

    RELATIONS ENGINEER, GRAPHQL Likes: - Yoga, strength training 󰙥 - Spanish 󰎼 “ @getpostman @mdhananii
  3. Introduction to Rate Limiting APIs Challenges with Rate Limiting GraphQL

    APIs Optimization Techniques for GraphQL APIs Real world examples Road Ahead 1 2 3 4 5 Overview @getpostman @mdhananii
  4. Rate Limiting • Minimize load Rate limiting enforces a controlled

    flow of requests, preventing system congestion and downtime due to excessive demand. • Ensure fair usage Rate limiting ensures fair usage by setting predefined limits on how often each client or user can access resources, preventing any single entity from monopolizing the system's resources. Safeguards against bursts of incoming traffic @getpostman @mdhananii
  5. An API rate limit is essentially a way for Shopify

    to ensure stability of the platform Zameer Masjedee Office of the President, Technology Lead at Shopify “ @getpostman @mdhananii
  6. @getpostman @mdhananii Query Cost Analysis • Type complexity Type complexity

    reflects the size of the data retrieved by a query. • Resolve complexity Resolve complexity reflects the server’s query execution cost Shopify Engineering Blog
  7. @getpostman @mdhananii Benefits of Cost Analysis for Service Providers •

    Inform load balancing Distribute incoming queries across server instances based on their complexity, ensuring even processing and preventing overloading of resources. • Resolver resource allocation Developers can allocate resources more effectively, optimize resolver functions, and prioritize high-impact queries, resulting in better overall performance and efficient use of server resources. • Threat prevention Attackers are discouraged from crafting overly complex or deeply nested queries that could degrade server performance or cause denial-of-service attacks. • Monetization Pricing based on the execution cost or response size.
  8. @getpostman @mdhananii Key Considerations • Introspection Queries Ensuring that introspection

    queries are subject to rate limiting or handled separately is crucial for security. • Pagination Pagination arguments significantly impact cost calculation. The same field with different pagination sizes can have vastly different costs. • Upper Bound vs Actual Response When clients request a large number of items, but the actual response contains fewer items, there's a potential mismatch between the charged cost and the delivered value • Complexity Calculation Overhead The process of calculating query complexity itself can introduce overhead, especially for deeply nested queries.
  9. @getpostman @mdhananii No Right Answer Examples illustrate a good rate

    limiting strategy consists of not one but a combination of all these techniques.
  10. @getpostman @mdhananii Traditional Architecture for Rate Limiting • Gateways/Routers API

    gateways can centralize the management of APIs, making it easier to control access, monitor traffic, and troubleshoot problems.
  11. @getpostman @mdhananii Implementation Strategies • Compilers A compiler transforms GraphQL

    queries into an optimized representation. This representation can then be used to implement rate limiting more efficiently. • Machine Learning Approach Machine learning can be used to learn the patterns of legitimate and malicious traffic. This information can then be used to optimize the rate limiting rules to better protect the API from abuse.
  12. During this session, we learned: • What is rate limiting

    APIs? • Why is rate limiting for GraphQL different from other APIs? • Query cost analysis - techniques, examples • Peek into future strategies Recap @getpostman @mdhananii
  13. API Rate Limits and Working with GraphQL https://www.shopify.com/partners/blog/graphql-rate-limits A Guide

    to GraphQL Rate Limiting and Security https://xuorig.medium.com/a-guide-to-graphql-rate-limiting-security-e62a86ef8114 Why does GraphQL need cost analysis? | Morris Matsa https://mmatsa.com/blog/why-cost-analysis/ A Principled Approach to GraphQL Query Cost Analysis https://arxiv.org/pdf/2009.05632.pdf Additional Resources @getpostman @mdhananii