VOOZH about

URL: https://www.geeksforgeeks.org/python/how-to-throttle-api-with-django-rest-framework/

⇱ Throttling in Django REST Framework - GeeksforGeeks

  • Courses
  • Tutorials
  • Interview Prep

Throttling in Django REST Framework

Last Updated : 26 Nov, 2025

Throttling in Django REST Framework (DRF) controls how many requests a client can make within a specific time. It helps keep the API stable and prevents overuse.

  • Maintains scalability when handling large numbers of requests.
  • Protects the API from slow performance and DoS-style attacks..
  • Prevents misuse by limiting excessive requests.
  • Helps provide a smooth and fair experience for all users.

Types of Throttling Class

Django REST Framework (DRF) includes built-in throttling classes that control how many requests are allowed within a set time period.

  • DRF provides three throttling classes: AnonRateThrottle, UserRateThrottle, and ScopedRateThrottle.
  • Each class defines the maximum number of requests allowed in a specific time window.
  • Different scopes and configurations can be applied based on the API’s needs.
  • Throttling can work with permissions to enforce both access control and rate limits together

1. AnonRateThrottle

AnonRateThrottle is used to limit the rate of requests made by unauthenticated users. It identifies each request using the IP address of the incoming connection, generating a unique key to track and throttle requests accordingly.

The allowed request rate can be determined from:

  • The rate property defined in a custom subclass of AnonRateThrottle.
  • The global configuration value set under DEFAULT_THROTTLE_RATES['anon'] in settings.py.

To enable throttling globally, define the throttle classes and rate limits in the project’s configuration:

The throttle rate can be defined using any of the following time units: second, minute, hour, or day, depending on the desired rate-limiting policy.

Example Request: The following HTTP i.e., command retrieves the list of robots without authentication.

http GET :8000/robot/

Output

HTTP/1.1 200 OK
Allow: GET, POST, HEAD, OPTIONS
Content-Language: en
Content-Length: 2106
Content-Type: application/json
Date: Sat, 02 Oct 2021 14:29:40 GMT
Referrer-Policy: same-origin
Server: WSGIServer/0.2 CPython/3.7.5
Vary: Accept, Accept-Language
X-Content-Type-Options: nosniff
X-Frame-Options: DENY

[
{
"currency": "USD",
"currency_name": "US Dollar",
"manufacturer": "ABB",
"manufacturing_date": "2020-05-10T00:00:00Z",
"name": "IRB 1100",
"owner": "sonu",
"price": 25000,
"robot_category": "Articulated Robots",
"url": "http://localhost:8000/robot/7/"
},
{
"currency": "USD",
"currency_name": "US Dollar",
"manufacturer": "ABB",
"manufacturing_date": "2020-08-10T00:00:00Z",
"name": "IRB 120",
"owner": "sonu",
"price": 35000,
"robot_category": "Articulated Robots",
"url": "http://localhost:8000/robot/8/"
},
]

The AnonRateThrottle rate is configured as 2 API requests per day. This means an unauthenticated user cannot make more than two requests within a 24-hour period. If the number of requests exceeds this configured limit, the server responds with the following message:

👁 Image

2. UserRateThrottle

UserRateThrottle controls the rate of requests sent by both authenticated and unauthenticated users.

  • For authenticated users, the user ID is used as the unique cache key.
  • For unauthenticated users, the IP address acts as the unique cache key.

The allowed request rate can be determined in two ways:

  • By overriding the class and setting the rate property directly.
  • By defining the rate in the DEFAULT_THROTTLE_RATES['user'] setting.

To configure throttling globally, update the REST_FRAMEWORK settings:

Throttling Rules:

  • Maximum 2 requests per day for unauthenticated users.
  • Maximum 5 requests per day for authenticated users.

Example Request: The following authenticated HTTPie command allows up to 5 requests per day:

http -a "sonu":"sn@pswrd" GET :8000/robot/

If the number of requests exceeds the configured limit (5 per day), the API will respond with a 'Too Many Requests' (HTTP 429) error.

3. ScopedRateThrottle

ScopedRateThrottle allows controlling the rate of requests for specific features or views in a RESTful API. To use it, the target view must include the throttle_scope property.

Adding a Throttle Scope: For example, the RobotDetail class can have a throttle scope for robot-related endpoints. First, import the ScopedRateThrottle.

from rest_framework.throttling import ScopedRateThrottle

Add the throttle scope and class to the view:

Configuring the Throttle Rate: Next, add the throttle rate for the robots scope in the REST framework settings.

The robots scope allows a maximum of 3 requests per day.

Example Request: The following authenticated HTTP i.e. command retrieves a robot by ID using the RobotDetail view:

http -a "sonu":"sn@pswrd" GET :8000/robot/2/

Output

👁 Image

If the number of requests exceeds the scoped limit (3 per day), the API will respond with a "429 Too Many Requests" error.

For example, the 4th request within a day will return:

👁 Image
Comment
Article Tags: