Client API Throttling in API Gateway


Customer that is looking to implement throttling on their APIs exposed via API Gateway and would like to know if that throttling occurs before invocation of a Lambda custom authorizer, which they are also implementing.

1 Answer
Accepted Answer

There are different types of rate limiting that can be applied on API Gateway. The different types of rate limiting can be found on this security whitepaper on page 11.

If the rate limiting leverages usage plans with an API key (the apiKeySource is set to AUTHORIZER) then the Lambda Authorizer needs to be invoked since the Lambda Authorizer function must return usage plan's API keys as the usageIdentifierKey property value. See link below:

If the rate limiting is enforced by API setting on the resource/method then the custom authorizer does not need to get invoked.

If any of the limits are exceeded for the rate limit, Amazon API Gateway blocks the request and returns a 429 Too Many Requests error response to the client. Client logic or SDKs should be configured to retry such errors, although with increasing back off intervals upon repeat failures of the same type.

answered 4 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions