What is Per-user vs per-IP limits in Rest API?

Rest APIprogramming~5 mins

Per-user vs per-IP limits in Rest API

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

We use limits to control how many times someone can use an API. This helps keep the system safe and fair for everyone.

To stop one user from sending too many requests and slowing down the service.

To prevent many users from the same place (like a school or office) from overloading the system.

To protect the API from attacks where many requests come from one IP address.

To make sure all users get a fair chance to use the API without being blocked by others.

To track and manage usage for billing or monitoring purposes.

Syntax

Rest API

Limit per user:
  Check user ID or token and count requests.
  Block or slow down if limit exceeded.

Limit per IP:
  Check IP address of the request.
  Count requests from that IP.
  Block or slow down if limit exceeded.

Per-user limits require users to be logged in or identified.

Per-IP limits work even if users are not logged in but can affect many users behind one IP.

Examples

Limit requests by user ID to 1000.

Rest API

if requests_from_user > 1000:
    block_request()

Limit requests by IP address to 5000.

Rest API

if requests_from_ip > 5000:
    block_request()

Use both limits together for better control.

Rest API

if requests_from_user > 1000 or requests_from_ip > 5000:
    block_request()

Sample Program

This program counts requests per user and per IP. It blocks users who send more than 3 requests and blocks IPs with more than 7 requests total.

Rest API

class RateLimiter:
    def __init__(self):
        self.user_counts = {}
        self.ip_counts = {}
        self.user_limit = 3
        self.ip_limit = 7

    def request(self, user_id, ip):
        self.user_counts[user_id] = self.user_counts.get(user_id, 0) + 1
        self.ip_counts[ip] = self.ip_counts.get(ip, 0) + 1

        if self.user_counts[user_id] > self.user_limit:
            return f"User {user_id} blocked: too many requests"
        if self.ip_counts[ip] > self.ip_limit:
            return f"IP {ip} blocked: too many requests"
        return "Request allowed"

limiter = RateLimiter()

# Simulate requests
print(limiter.request('alice', '192.168.1.1'))
print(limiter.request('alice', '192.168.1.1'))
print(limiter.request('alice', '192.168.1.1'))
print(limiter.request('alice', '192.168.1.1'))  # Should block user

print(limiter.request('bob', '192.168.1.1'))
print(limiter.request('carol', '192.168.1.1'))
print(limiter.request('dave', '192.168.1.1'))
print(limiter.request('eve', '192.168.1.1'))  # Should block IP

OutputSuccess

Important Notes

Per-user limits need a way to identify users, like login or API keys.

Per-IP limits can block many users if they share the same IP, like in offices or schools.

Combining both limits gives better protection and fairness.

Summary

Per-user limits control requests based on who is using the API.

Per-IP limits control requests based on where the requests come from.

Using both helps keep the API safe and fair for everyone.