Rate Limiting
// Definition
An API protection mechanism that caps how many requests a client can make in a window. Tests should verify both the limit threshold and the response when exceeded (typically HTTP 429 with Retry-After).
// Why it matters
Rate limiting caps how many requests a client can make in a window, blunting brute-force, scraping, and accidental hammering. QA verifies two things people forget: that the limit actually triggers (returns 429), and that it resets correctly — a limiter that never releases is its own outage.
// How to test
// Fire past the documented limit; expect a 429 with Retry-After
const attempts = Array.from({ length: 12 }) // limit is 10/min
cy.wrap(attempts).each(() =>
cy.request({ url: '/api/login', method: 'POST', body: creds, failOnStatusCode: false })
)
cy.request({ url: '/api/login', method: 'POST', body: creds, failOnStatusCode: false })
.then((res) => {
expect(res.status).to.eq(429)
expect(res.headers).to.have.property('retry-after')
})// Common mistakes
- Limiting by IP only (defeated by proxies) or by account only (defeated by spraying)
- No
Retry-Afterheader, so well-behaved clients can't back off - Counting failed and successful requests the same way, locking out legit users
// Related terms
Authentication
The process of verifying who a caller is. Common schemes: API key, Bearer token, OAuth 2.0, mutual TLS. Distinct from authorisation, which decides what they're allowed to do.
Endpoint
A specific URL exposed by an API that accepts requests and returns responses. Defined by its path, HTTP method, and contract.
Status Code
A three-digit HTTP response code indicating outcome — 2xx success, 3xx redirect, 4xx client error, 5xx server error. The first signal an API test asserts on.
Learn more · API Testing Masterclass
Chapter 4 · Lesson 4: Rate Limiting and Retry Strategies