Skip to content

Configuring limits


Once a product is created, customers are able to access the included endpoints without any limitations using the API key issued by Nadles.

API providers can use Nadles's rich toolkit to define, what limitations customers have when they are subscribed to this product.

Read "Before you begin" to learn more about the product concept.

Limits page

Navigate to Products → choose a product → Limits.

There are two types of limits in Nadles:

  • Rate limits
  • Rejection rules

By combining them you can flexibly configure a wide variety of products.

Rate limits

A rate limit can be specified per N seconds/minutes/hours.

  1. Click "Add rate limit".

  2. Configure the new rate limit.

    Rate limits can be applied to several endpoints. In that case, the Nadles engine will calculate the total request rate for the group of endpoints.

Max burst — an additional number of requests accepted in case the rate limit was exceeded by the user.

Max burst example

  • Rate limit: 1 req/s
  • Max burst: 5 reqs

In case 7 requests hit the Nadles API Gateway at the same moment, the first six requests are passed without a delay, and the last, seventh request is rejected. All the following requests are also rejected until the rate of 1 req/s is achieved.

Difference between quotas and rate limits

The difference between rate limits and quotas is that rate limits cap the number of calls within a rolling time window (i.e. last N seconds/minutes/hours), whereas quota periods are calculated starting from the beginning of subscription.

E.g. if there is a subscription started on 01-01-2022 at 00:00:00 and there is a quota of 100 calls per 1 day, then there will be the following time periods:

Quota Time period
100 2022-01-01 00:00:00 — 2022-01-01 23:59:59
100 2022-01-02 00:00:00 — 2022-01-02 23:59:59
100 2022-01-03 00:00:00 — 2022-01-03 23:59:59
100 ...

Rejection rules


Rejection rules are JavaScript expressions that tell Nadles API Gateway whether the current request should be rejected.

If an expression evalueates to true, Nadles API Gateway will reject the request.

It's useful for implementing premium features and impose limitations on input parameters.


For instance, a limitation might sound as

For the "Basic" subscription plan request body can't exceed a maximum of 1000 bytes.

In this case, the Nadles API Gateway needs to check the request body length and reject the request if the length exceeds 1000 bytes.

The expression needs to be:

request.body.length > 1000

One rejection rule can be applied to several endpoints. The expression will be evaluated for each call to any of the selected endpoints and if the result is true, the call is rejected.

Add rejection rule

  1. Click "Add rejection rule".

  2. Enter the expression, select the endpoints this rule applies to, and click "Save".

  3. The rejection rule is now added to the product.

Expression variables

There is a number of variables that can be used in the expression.

Note that response variables are not available, since rejection rules are evaluated before proxying the request.

Path parameters

path.params.* — placeholder values specified in the endpoint URL.


Placeholder names are case-sensitive.


If an endpoint URL is /resource/{resourceId}

and the HTTP request URL is /resource/801d49c2-ca05-42b1-97af-baf0ddf36ba3,

then there will be a variable path.params.resourceId with value "801d49c2-ca05-42b1-97af-baf0ddf36ba3".

path.params.resourceId // "801d49c2-ca05-42b1-97af-baf0ddf36ba3"

Client IP address

request.remote_addr — Client IP address.

Request headers

request.headers['header-name'] — Request header values.


Header names are lower-case.


request.headers['content-type'] == 'application/json'

Request query string parameters

request.query['query_string_parameter_name'] — Request query string parameters.


Query string parameter names are case-sensitive.

request.query['page'] > 100

Request body

request.body — Request body.

request.body.length > 1000