LET'S TALK
← All work
RFC 6585OWASP API4:2023SOC2 CC6.6Rate LimitingDeep Prototype

APIRateLimit — Per-Endpoint Rate-Limit Inspector

16 endpoints × 4 limit tiers (anon-IP, free-tier, paid-tier, enterprise). Real-time burn rate vs limit, abuse signals (single-IP saturation, token reuse across geos, payload-size anomalies), and the actual API-gateway YAML config per endpoint. Maps RFC 6585 + OWASP API4:2023 + SOC2 CC6.6.

APIRateLimit — Per-Endpoint Rate-Limit Inspector preview
Open live →

What it is

The shape behind every API-gateway rate-limit dashboard (Kong, Envoy, Cloudflare API Shield, Tyk). 16 endpoints on one screen with current burn vs tier limit, abuse signals, and the actual gateway config.

What’s in it

  • 16 endpoints across 6 categories: auth, business, read, AI/LLM, integration, admin.
  • 4 tiers per endpoint — anon-IP, free-tier, paid-tier, enterprise. Each with the actual policy (“150/IP/min”, “100k/user/min”, “unlimited (signed)”).
  • Burn-rate visualization — per-tier percentage of capacity consumed in current window.
  • Abuse signals seeded into real endpoints:
    • /v1/auth/login — single IP 86.142.32.14 with 0.04 success/attempt ratio (credential stuffing)
    • /v1/products/{id} — single scraper sequential ID enumeration (bot signature)
    • /v1/search — 88 requests >2KB OpenSearch DSL injection attempts
    • /v1/uploads — payload-size anomaly approaching enterprise per-request limit
    • /v1/admin/users/{id}/impersonate — 3/hour cap is forensic, every call audited
    • /v1/.well-known/openapi.json — aggressive vendor scanner, should be allowlisted with higher cap
  • Gateway config preview — copy-pasteable YAML with the actual key-extractor chain (header → JWT → source.ip), TLS verification, and RFC 6585 response headers (X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset, Retry-After).

Why this shape

OWASP API4:2023 (“Unrestricted Resource Consumption”) + SOC2 CC6.6 (boundary protection) + RFC 6585 §4 (429 Too Many Requests) all converge on the same operational question: do you know which endpoint is closest to saturation, what abuse signal is the loudest, and where the next 429 storm will hit? APIRateLimit prototypes the answer.

How it ships

Single HTML file, ~19KB. Zero dependencies. 16 endpoints × 4 tiers × abuse-signal classifier + gateway-config templates in 200 lines of vanilla JavaScript.

Open the tool →