mirror of
https://github.com/hasura/graphql-engine.git
synced 2024-12-15 17:31:56 +03:00
27aa5b4781
Co-authored-by: Rikin Kachhia <54616969+rikinsk@users.noreply.github.com> GitOrigin-RevId: 49268fcd36dd15e10c7b7c5fe91af93cd65cb4e2
72 lines
2.2 KiB
ReStructuredText
72 lines
2.2 KiB
ReStructuredText
.. meta::
|
|
:description: Hasura Cloud API limits
|
|
:keywords: hasura, docs, cloud, security, limits
|
|
|
|
.. _api_limits:
|
|
|
|
API limits
|
|
==========
|
|
|
|
.. contents:: Table of contents
|
|
:backlinks: none
|
|
:depth: 1
|
|
:local:
|
|
|
|
Introduction
|
|
------------
|
|
|
|
Limiting the depth and/or rate of API requests can help prevent API performance issues caused by malicious or poorly implemented queries.
|
|
|
|
Configuring an API limit
|
|
------------------------
|
|
|
|
**Rate limits**
|
|
Restricts number of GraphQL operations per minute. This uses a sliding window approach. This means whenever Hasura Pro receives a request, it will count the rate of that client starting from the current time to last one minute.
|
|
|
|
**Depth limits**
|
|
Restricts a GraphQL operation based on its depth, preventing deeply nested queries.
|
|
|
|
**Node limits**
|
|
Restricts a GraphQL operation based on the number of nodes. This helps in limiting the number of different pieces of related data to be fetched.
|
|
|
|
A node is defined as a field with a selection set.
|
|
|
|
For example, in the below query the number of nodes is 3 and they are ``author``, ``articles`` and ``homepage_entries``.
|
|
|
|
.. code-block:: graphql
|
|
|
|
{
|
|
author {
|
|
name
|
|
articles {
|
|
id
|
|
title
|
|
}
|
|
}
|
|
homepage_entries {
|
|
article_id
|
|
}
|
|
}
|
|
|
|
API limits are defined by **role** (anonymous, user) and can restrict request rate, depth, or both. Unique request parameters can include IP address or session variables (*x-hasura-user-id*, *x-hasura-org-id*, etc.)
|
|
|
|
Manage API limits
|
|
-----------------
|
|
|
|
API limits can have a *global* or *per role* configuration. If an incoming request does not contain a valid role then the global limit is applied.
|
|
|
|
.. thumbnail:: /img/graphql/cloud/security/pro-tab-apilimits.png
|
|
:alt: Hasura Cloud Console api limit tab
|
|
|
|
.. admonition:: Admin & IntrospectionQuery exemptions
|
|
|
|
All API limits are **not** applied for the admin role, and depth limits are **NOT** applied to introspection queries
|
|
|
|
Quick-create limits
|
|
-------------------
|
|
|
|
Hasura Cloud lets you add limits with one click from the list of past operations.
|
|
|
|
.. thumbnail:: /img/graphql/cloud/security/pro-tab-apilimit-config.png
|
|
:alt: Hasura Cloud Console create new api limit
|