Rate Limit Policies

Rate Limit Policies (Settings → Rate Limit Policies) define how Aforo throttles API traffic. Each policy targets a scope and stacks one or more time-window tiers.

Policy scope & enforcement

Field	Values
Scope	`PER_KEY`, `PER_APP`, `PER_CUSTOMER`
Enforcement mode	`HARD` (reject with HTTP 429) or `SOFT` (warning header only)

Tiers

A policy stacks multiple windows — for example 100 requests/minute and 5,000 requests/hour:

Tier field	Notes
Window	60s (1 min), 3600s (1 hour), 86400s (1 day)
Max requests	Cap within the window
Burst capacity	Optional short-term allowance
Priority	Optional ordering

Add tiers with + Add Tier in the create/edit drawer. The KPI strip shows total policies and the split between hard and soft enforcement.

ℹ

HARD enforcement returns 429 Too Many Requests. SOFT enforcement lets the request through but returns a RateLimit-Remaining header — useful for observing traffic before you start rejecting it.