Api Rate Limiting Out of the box in Laravel 5.2

This is a series of posts that showcase new features and aha moments in Laravel 5.2

1. Implicit Route Model Binding

2. Simplified Eloquent Global Scopes

3. Append Scheduled Tasks Output

4. Form Array Validation

5. Middleware Groups

6. Auth Scaffolding

7.  API Rate Limiting

8. More helper functions


Laravel makes web development so easy that it hurts!

Laravel 5.2 development is underway and it might be released this year or in January 2016.

There are so many new features that have been developed like easy multi-auth handling, implicit route model binding and some others I’ll talk about later but the one that really got me excited is the API Rate Limiting functionality.

When building APIs, most times you’ll have to take enough time to sit down and implement a rate limiter for your API to avoid users from pulling down your servers from too many requests.

Most times it’s a headache because it involves a lot of logic to get that right.

With Laravel 5.2, even my MAMA can build an API with rate limiting enabled in 5 minutes. How awesome is that? :smile:

Let’s Get Started

1. Run composer create-project laravel/laravel api-rate-limiting dev-develop in your terminal.

The dev-develop branch is where we are getting the latest development version of laravel which also fetches the 5.2-dev branch of laravel/framework repository.

2. Go to routes.php and add a route like so:

Now this is the simplest API you will ever write in your lifetime. :smile:

By default, Laravel returns a JSON response.

Fire up your server and check the response.

3. Let’s hit this API route from our terminal. You can use curl or a tool like httpie. You can install that by doing brew install httpie

4. Run http get http://localhost:8000/api/v1/songs on your terminal and check out the response.

You can see the response here and also see the headers.

Now, you can hit this route as many times as you want and it still displays the appropriate JSON response.

In production, except you are either google, facebook or Microsoft that possess endless server resources, you will have to give a rate limit to your APIs to ensure that users consume reasonably.

5. Add the throttle middleware like so:

By default, Laravel provides 60 requests per minute. hit that route again from your terminal and see the result

Aha!, Look at those headers X-RateLimit-Limit and X-RateLimit-Remaining

They signify the amount of requests assigned to a user and the amount of requests remaining for a user respectively. The more you hit the route, the more X-RateLimit-Remaining reduces.

Now, let’s decrease our API rate limit to just 5 requests per minute like so:

Hit the route again from the terminal and you’ll see that the X-RateLimit-Limit is now 5. Now, hit that route multiple times, at least 6 times.

At the 6th time, you will discover you get a message Too Many attempts

This is because you have exceeded the no of requests granted to you. So, Laravel stops the results from displaying and returns this message. Awesome!

If you want to increase the time limit for the number of requests, you can just add that as the second argument to the throttle middleware like so:

This means you can only perform 5 requests in 3 minutes.

Conclusion: Laravel makes use of a user’s IP address and hashes it with a unique ID and stores it in a cache. If you get into the source code, you will see how it performs this operation but like I said earlier my MAMA doesn’t need to worry about that.

As I write, my MAMA  can build an API with a rate limiter in 5 minutes. :smile:

Please, if you have any questions or observations, let me know in the comments section.



Food Ninja, Code Slinger, Technical Trainer, Accidental Writer, Open Source Advocate and Developer Evangelist.