Skip to main content
Version: Next 🚧

Rate Limiting

Apiato uses Laravel Rate Limiting feature to protect your API from abuse and to ensure stability.


This feature is only applied to API requests, and not to web requests and is enabled by default.

How it works

Given the rate limit window is 1 minute per endpoint, with individual calls allowing for 30 requests in each window each user is allowed to make 30 calls per endpoint every 1 minute (for each unique access token).


Rate limiting configuration is done in the app/Ship/Configs/apiato.php config file.

Rate Limiting Headers

For how many hits you can perform on an endpoint, you can always check the header:

X-RateLimit-Limit → 30
X-RateLimit-Remaining → 29

Disable Rate Limiting

The API rate limiting middleware name is api and is assigned to all API endpoints by default. You can disable it on specific endpoints or globally.

On a specific endpoint

Rate limiting can be disabled by removing the api middleware from an endpoint using withoutMiddleware('throttle:api') method. Read More.


To disable rate limiting completely, set GLOBAL_API_RATE_LIMIT_ENABLED to false in the .env file.