Introducing Rate Limiting for Tinybird APIs

Today, we introduce Rate Limiting for Tinybird API Endpoints. With this new feature, you can limit how often your users can fetch Tinybird APIs on a per-endpoint or per-user basis.

Read on to learn more about how rate limiting works in Tinybird, or check out the docs for detailed instructions on implementing rate limiting in your Tinybird Endpoints.

The essential Tinybird experience is simple and delightful: capture data from many sources, query it with SQL, and instantly publish queries as fast and scalable API Endpoints.

Tinybird's customers have built thousands of endpoints that handle billions of daily requests. Many of those APIs were accessed through a proxy; developers created backend services that handled requests from their application and forwarded those requests to Tinybird APIs.

There were good reasons to do this; it gave developers more control over throughput, rate limiting, custom domains, etc. that they would not otherwise get from Tinybird.

Tinybird customers have often used backend proxies to handle requests to the APIs they build in Tinybird, but this comes with some downsides.

But there were also downsides, namely an increase in endpoint latency and the added complexity and cost of maintaining and scaling another service.

Recently we introduced support for JSON Web Tokens (JWTs) to Tinybird. JWTs eliminate the security concerns associated with querying Tinybird APIs from the browser, as you no longer need to manage static tokens on Tinybird or risk those tokens being compromised. Instead, you can simply generate and sign a JWT to securely make requests without needing that added backend hop.

JWT support resolved the auth requirements previously handled by external proxies, but there were still good reasons to use a proxy. The main reason was rate limiting; Tinybird APIs still did not natively support rate limiting functionality, so you'd have to handle that on your own.

Tinybird now supports rate limiting through JWTs. You can define rate limits on your Tinybird APIs through the tokens you create for your users.

With this new feature, Tinybird now handles rate limiting via the JWTs you create to authenticate requests to your Tinybird Endpoints.

Defining rate limits in JWTs

To enable rate limits on Tinybird Endpoints, we leverage JWTs. You can define the maximum requests per second in the JWTs you assign to your users. For example, the JWT below limits READ access to the requests_per_day Tinybird Pipe to a maximum of 10 requests per second.

Requests that exceed the 10 RPS rate limit will be rejected and receive an "HTTP 429 Too Many Requests" error.

You can set rate limits per user by creating a JWT with a unique name for each user. With this approach, multiple clients can access the same API Endpoint, each with different rate limits. 

This can be useful for managing API support tiers based on pricing. For example,  users on a free plan can have JWTs with more restrictive limits than users on paid plans.

Alternatively, the name field in a JWT does not have to be unique for each token, so all tokens generated using the same name can have the same rate limit. This gives you the ability to assign global rate limits at the app or component level.

Rate limits can be applied globally using a shared name across different JWTs, or on a per-user basis.

Start using Rate Limiting

For more information on Rate Limiting for Tinybird Endpoints, read the documentation. If you have a question or need guidance on best practices, please ask in our Slack community and we'll steer you in the right direction.

New to Tinybird?

Tinybird is the data platform for real-time analytics. Developers use Tinybird to build a variety of user-facing applications: in-product dashboards, app and web personalization, anomaly detection, and more.

You can get started at tinybird.co/signup. You don't need a credit card, and the Build plan has no time limit and supports 1,000 API requests per day for free.