Client API Throttling in API Gateway

There are different types of rate limiting that can be applied on API Gateway. The different types of rate limiting can be found on this security whitepaper on page 11. https://d1.awsstatic.com/whitepapers/api-gateway-security.pdf?svrd_sip6

If the rate limiting leverages usage plans with an API key (the apiKeySource is set to AUTHORIZER) then the Lambda Authorizer needs to be invoked since the Lambda Authorizer function must return usage plan's API keys as the usageIdentifierKey property value. See link below: https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-lambda-authorizer-output.html

If the rate limiting is enforced by API setting on the resource/method then the custom authorizer does not need to get invoked.

If any of the limits are exceeded for the rate limit, Amazon API Gateway blocks the request and returns a 429 Too Many Requests error response to the client. Client logic or SDKs should be configured to retry such errors, although with increasing back off intervals upon repeat failures of the same type.