Alpha Limitations
Rate limiting is currently only available in private alpha and is not currently fully self-service. To gain access, please send us a request below, and our team will get back to you and assist with the setup. If you have questions or feedback, please join us in #rate-limiting in Discord!
Availability Guarantees
What does "private alpha" mean? What guarantees does Stellate make?
Rate limiting for GraphQL is not a trivial topic. During this phase we will open up our solution to a larger audience, while keeping track who is using us in what fashion and work closely with tester to obtain their feedback. We expect to discover some use-cases that won't work as intended. However, this is to be expected during the alpha testing phase and we do not guarantee full functionality at this time.
However, we do guarantee that we're not going to break your requests. Even if the rate limiting functionality is broken, we guarantee that we will "fail open" and your users won't be affected. On the other hand that means in case of problems your origin service may receive more traffic than you have configured. At most that's the amount of traffic you previously received before opting into the rate limiting feature.
Minimum/Maximum limit window
Every rule can specify their time frame for which the expenses of the requests are summed up for (rule.limit.window).
The length of the window has an upper and a lower bound:
- Minimum: 1 second
- Maximum: 1 hour (3,600 seconds)
- Step size: 1 second (no fractions of a second are possible)
Region-based rate limiting
Our rate limiting solution runs per region and in the alpha version does not enforce a global rate limit yet.
Using multiple mutations in a single request
When using a RequestCount based rule for mutations, the rule will always consume either 0 or 1 points from the budget, depending on whether the rule applies to the received request.
A GraphQL request is technically able to send multiple mutations. The number of mutations within a request does not influence the amount of budget points to be consumed.
If you want to restrict a request from sending multiple limits, you can find an example in our Rate Limiting Rule Examples.
Automated Persisted Queries (APQ)
Automatic Persisted Queries (APQ) are not compatible with the Rate Limiting product yet. When rate limiting is configured, any APQ request will be rejected, to disallow circumenventing your rules by using persisted queries.
If you need to have both features work together, please reach out with your use-cases!
Supported HTTP verbs
Right now only GraphQL requests sent via the POST verb are rate limited. We will expand to support GET as well shortly.
OPTIONS requests (e.g. browser preflight requests) are not forwarded to your origin (we handle them in our edge infrastructure) and thus will never consume any rate limit budget.
GraphQL Query Batching
GraphQL Query Batching is currently not compatible with the Rate Limiting product. When rate limiting is configured, any batched request will be rejected, to disallow circumenventing your rules by using batched requests.
EdgeRequest header format
HTTP headers are case-insensitive. We normalize all keys of the req.headers record to use lowercase string values only.
If you use Authorization in your HTTP client, it will be available as req.headers.authorization.
If you send somthing like X-My-Custom-Header it will be available as req.headers['x-my-custom-header'].
(Alpha) Query complexity based rate limiting rules
Complexity algorithm
The current algorithm to compute the complexity of your request as described in Complexity-based Rate Limiting can't be adjusted. For future customization, the foundational algorithm may be subject to change.
List fields
The current algorithm is not aware of the backing GraphQL schema. Only fields that use one of your configured listSizeArguments are treated as an Array type field. Relying on the default argument values for page sizes skews the result of the computation, so we recommend to explicitly include any such argument in your GraphQL operations.
Rule limit window resolution
Due to the technical implementation details, rules with a higher limit value are not accurate on the exact second. A window will never be shorter than what the user configured. The maximum difference in seconds from the configured value can be found below.
| From (seconds) | To (seconds) | Maxium deviation (seconds) |
|---|---|---|
| 1 | 10 | 1 |
| 11 | 180 | 5 |
| 181 | 600 | 10 |
| 601 | 1800 | 30 |
| 1801 | 3600 | 45 |