Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
Showing results for 
Search instead for 
Did you mean: 
SAP Cloud Platform, API Management offers many out of the box API Security best practices which can be customized based on your enterprise requirements.  These API Security Best Practices includes security policies for Authentication and Authorization,  Traffic Management and many more.

Rate limiting or Traffic Management is the process of controlling the rate of traffic sent or received by an API endpoint. Rate limiting can have many flavors like limiting the call based on no of hits to the APIs in a given time range, limit the calls for sudden spike in given time range, limit the calls for too many concurrent connections, limiting the calls for high amount of data. In SAP Cloud Platform, API Management we offer out of box security policies for all these use cases which are as follows:-

API rate limits reduces massive API requests that can cause denial of services and is documented as one of the REST security protection in OWASP.  As per RFC, an API should return 429 Too many Requests when an API rate limiting is applied. In this blog, we describe how to apply rate limit using the Quota policies from SAP API Cloud Platform API Management and then extend the same to return a error message of 429 status code and retry interval when quota expires. The re-try interval can be used by the client to make the API call again after the quota interval expires
More best practices covered in API Security Best Practices blog series.


Launch API Portal


  • Click on the link Access API Portal to open API Portal.


Create an API Proxy

If you already have an API Proxy to which you would like to apply Rate limit, then you can refer to the section Update an API Proxy.

  • Navigate to the Define from the hamburger icon, then select the tab APIs and Click on the Create button


  • Click on the Save and Deploy button to activate the API Proxy.



With this we have activated an API Proxy which connects to the SAP Gateway OData API and is accessible to any one on the public domain without any API rate limit.

Update an existing API Proxy

In this blog, we have extended the API Proxy with restricted access to specific IP address range as described in here

  • Navigate to the Define from the hamburger icon, then select the tab APIs then we select the API Proxy to which API Rate limiting would be applied.


Rate Limit APIs call via Quota Policy

In this section, we would apply the Quota policy from SAP Cloud Platform, API Management to limit the API calls to 2 calls per minute.

  • Click on the Policies button of the newly created API Proxy


  • Click on the Edit button from the Policy designer, select PreFlow from the ProxyEndPoint and then click on the + button next to the Quota Policy available under the Traffic Management Policies segment.


  • In the Create Policy dialog, provide the name of the policy say applyRateLimit.and click on the Add button.


  • The default behavior of the policy execution is to exit the execution in case of error, in this case will continue even in case of error and then handle the error in the next execution step via RaiseFault Policy and therefore we will set the flag continueOnError to true as highlighted in the snippet below

<Quota async="false" continueOnError="true" enabled="true" type="calendar" xmlns="">
<Allow count="2"/>
<StartTime>2015-2-11 12:00:00</StartTime>



  • From the Policy designer, select PreFlow from the ProxyEndPoint and then click on the + button next to the Raise Fault Policy available under the Mediation Policies segment.


  • In the Create policy screen specify the policy name say return429error and then click on the Add button



  • In the policy editor,  select the newly created return429error policy and add the following policy snippet to return the error with status code 429 and message Too many Requests

<RaiseFault async="true" continueOnError="false" enabled="true" xmlns="">
<!-- Defines the response message returned to the requesting client -->
<!-- Sets or overwrites HTTP headers in the respone message -->
<Header name="Retry-After">{ratelimit.applyRateLimit.expiry.time}</Header>
<Payload contentType="text/plain">Your quota exceeded </Payload>
<!-- sets the reason phrase of the response -->
<ReasonPhrase>Too many Requests</ReasonPhrase>

RaiseFault Policy allows to return custom error message to the client. The above policy snippet would return the error response with the HTTP status set to 429 and the reason phrase is set to Too many requests. Also the retry time would be set to the Quota time interval expiry settings as described in the RFC and for this we have used the flow variable ratelimit.{quotapolicyname}.expiry.time  



  • The above added return429error  raise fault policy would have to be executed only in case of quota error and therefore in the Condition String field in the copy paste the condition value of  ratelimit.applyRateLimit.failed = "true". This condition ensures that only when the quota is exceeded, the error is returned to the API caller.



  • Click on the Update button to save the Policy changes



  • Click on the Save button to save the changes to API Proxy



With this we have successfully set the API rate limit using SAP Cloud API Management as described in the REST security protection in OWASP and following the rate limiting RFC standards for error handling.


Finally testing the flow


  • Navigate to the Test tab from the hamburger icon



  • From the APIs list search for the API Proxy that you would like to test say GatewayServiceRestrictedAccess and then click the API to test




  • Click on the Send button multiple times so that API rate limiting is applied



  • Click on the Headers tab to view the Retry-After header value



Further Reads