ratelimit

Apply rate limiting

Check and enforce rate limits for any identifier (user ID, IP address, API client, etc.).

Use this for rate limiting beyond API keys - limit users by ID, IPs by address, or any custom identifier. Supports namespace organization, variable costs, and custom overrides.

Important: Always returns HTTP 200. Check the success field to determine if the request should proceed.

Required Permissions

Your root key must have one of the following permissions:

ratelimit.*.limit (to check limits in any namespace)
ratelimit.<namespace_id>.limit (to check limits in a specific namespace)

Side Effects

Records rate limit metrics for analytics and monitoring, updates rate limit counters with sliding window algorithm, and optionally triggers override matching for custom limits.

POST

ratelimit.limit

Python (SDK)

from unkey.py import Unkey


with Unkey(
    root_key="<YOUR_BEARER_TOKEN_HERE>",
) as unkey:

    res = unkey.ratelimit.limit(namespace="api.requests", duration=60000, identifier="user_abc123", limit=100, cost=5)

    # Handle response
    print(res)

{
  "data": {
    "limit": 100,
    "remaining": 99,
    "reset": 1714582980000,
    "success": true
  },
  "meta": {
    "requestId": "req_01H9TQPP77V5E48E9SH0BG0ZQX"
  }
}

Authorizations

Authorization

string

header

required

Unkey uses API keys (root keys) for authentication. These keys authorize access to management operations in the API. To authenticate, include your root key in the Authorization header of each request:

Authorization: Bearer unkey_123

Root keys have specific permissions attached to them, controlling what operations they can perform. Key permissions follow a hierarchical structure with patterns like resource.resource_id.action (e.g., apis.*.create_key, apis.*.read_api). Security best practices:

Keep root keys secure and never expose them in client-side code
Use different root keys for different environments
Rotate keys periodically, especially after team member departures
Create keys with minimal necessary permissions following least privilege principle
Monitor key usage with audit logs.

Body

application/json

Response

200

application/json

Rate limit check completed. Always returns HTTP 200 - check the success field to determine if the request is allowed.

The response is of type object.

List ratelimit overridesRetrieve a paginated list of all rate limit overrides in a namespace. Use this to audit rate limiting policies, build admin dashboards, or manage override configurations. **Important:** Results are paginated. Use the cursor parameter to retrieve additional pages when more results are available. **Permissions:** Requires `ratelimit.*.read_override` or `ratelimit.<namespace_id>.read_override`

Python (SDK)

from unkey.py import Unkey


with Unkey(
    root_key="<YOUR_BEARER_TOKEN_HERE>",
) as unkey:

    res = unkey.ratelimit.limit(namespace="api.requests", duration=60000, identifier="user_abc123", limit=100, cost=5)

    # Handle response
    print(res)

{
  "data": {
    "limit": 100,
    "remaining": 99,
    "reset": 1714582980000,
    "success": true
  },
  "meta": {
    "requestId": "req_01H9TQPP77V5E48E9SH0BG0ZQX"
  }
}

Introduction

Endpoints

Apply rate limiting

Authorizations

Body

Response