How to Throttle API with Django Rest Framework

Django Rest Framework (DRF) provides powerful throttling mechanisms to control the rate at which clients can make API requests. Throttling helps prevent API abuse, protects server resources, and ensures fair usage among all clients.

Built-in Throttling Classes

DRF offers several built-in throttling classes for different scenarios:

• AnonRateThrottle: Limits requests from anonymous (unauthenticated) clients within a specific time frame.

• UserRateThrottle: Restricts requests from authenticated users within a given time interval.

• ScopedRateThrottle: Allows custom throttling rates for different API sections using scopes.

Configuring Throttling in Settings

To configure throttling for your DRF API, add the throttling classes and rates to your settings.py file:

# settings.py
REST_FRAMEWORK = {
    'DEFAULT_THROTTLE_CLASSES': [
        'rest_framework.throttling.AnonRateThrottle',
        'rest_framework.throttling.UserRateThrottle',
        'rest_framework.throttling.ScopedRateThrottle',
    ],
    'DEFAULT_THROTTLE_RATES': {
        'anon': '100/hour',
        'user': '1000/day',
        'custom': '50/hour',
    }
}

This configuration sets the following limits:

• Anonymous clients: 100 requests per hour

• Authenticated users: 1000 requests per day

• Custom scope: 50 requests per hour

Applying Throttling to Views

Class-based Views

Use the throttle_classes attribute to specify throttling classes. For ScopedRateThrottle, set the throttle_scope attribute:

from rest_framework.throttling import UserRateThrottle, ScopedRateThrottle
from rest_framework.views import APIView
from rest_framework.response import Response

class MyApiView(APIView):
    throttle_classes = [UserRateThrottle, ScopedRateThrottle]
    throttle_scope = 'custom'

    def get(self, request):
        return Response({'message': 'Hello, World!'})

Function-based Views

Use the @throttle_classes decorator for function-based views:

from rest_framework.throttling import UserRateThrottle, AnonRateThrottle
from rest_framework.decorators import api_view, throttle_classes
from rest_framework.response import Response

@api_view(['GET'])
@throttle_classes([UserRateThrottle, AnonRateThrottle])
def my_api_view(request):
    return Response({'message': 'Throttled API endpoint'})

Creating Custom Throttling Classes

For specific requirements, create custom throttling classes by extending SimpleRateThrottle and implementing the get_cache_key() method:

from rest_framework.throttling import SimpleRateThrottle

class IPBasedThrottle(SimpleRateThrottle):
    scope = 'custom'

    def get_cache_key(self, request, view):
        # Generate cache key based on client IP
        client_ip = request.META.get('REMOTE_ADDR')
        return f'throttle_ip_{client_ip}'

Throttling Response Example

When a client exceeds the rate limit, DRF returns an HTTP 429 status with details about when they can retry:

HTTP/1.1 429 Too Many Requests
Content-Type: application/json
Retry-After: 60

{
    "detail": "Request was throttled. Expected available in 60 seconds."
}

Conclusion

Django Rest Framework's throttling system provides flexible rate limiting for APIs. Use built-in classes for common scenarios, configure rates in settings, and create custom throttling classes when needed for specific requirements.