Rate limiting on Anypoint Platform Access Management API calls and Other APIs

A) Access Management API :-

Let's use the Anypoint Platform Login API call as an example. We can follow the steps from How to generate your Authorization Bearer token for Anypoint Platform to call the API. 

For example:

curl -v -H "Content-Type: application/json" -X POST -d @/tmp/payload.json https://anypoint.mulesoft.com/accounts/login
...
< HTTP/1.1 200 OK
...
< Date: Thu, 25 Jun 2020 07:28:00 GMT
...
< X-RateLimit-Limit: 500
< X-RateLimit-Remaining: 499
< X-RateLimit-Reset: 1593070140

The following HTTP headers can be found from the response: 

• X-Ratelimit-Limit: the rate limit set to the API call
• X-Ratelimit-Remaining: the current remaining limit for the API call
• X-RateLimit-Reset: the epoch time the rate limit will be reset

From the above example, we can see:

• 1593070140 is in epoch time format, which converts to 25 June 2020 07:29:00 GMT
• this means from 25 Jun 2020 07:28:00 GMT to 25 Jun 2020 07:29:00 GMT, one request was made and 499 left. 
• if you made another call at exactly 25 June 2020 07:29:00 GMT, you would see the rate limit's reset and X-RateLimit-Reset changes to 25 June 2020 07:30:00 GMT. This means the rate limit period is every minute. 

When a rate limit is reached, the 503 is returned, like the following:

< HTTP/1.1 503 Service Unavailable: Back-end server is at capacity
< Content-Length: 0
...

Note

• The rate limit is per caller (identified by the user ID or client ID), instead of per IP
• The rate limit headers are currently available from Access Management API and Audit Log Query API

B) Rate limits for Anypoint Platform Other REST API's :- 

• This is referring to Platform REST API's as documented in Anypoint Exchange.
• Anypoint Platform employs intelligent rate limiting functionality in order to maintain service levels and prevent service overload due to high volume of requests or possible denial of service attempts.
• MuleSoft does not publish the exact rate limits and the rate limits may vary dependent on different scenarios. Anypoint platform detects usage based on concurrent requests and bursts of requests from specific IP addresses.
• As a guidance, it is recommended that applications do not exceed 15 requests per second from an individual client IP.
• Should an API Rate Limit be exceeded, Some APIs may implement temporal throttling or the Anypoint Platform will reject requests with a 503 Service Unavailable or 503 Service Temporarily Unavailable HTTP Response Code.