# /sys/quotas/rate-limit The `/sys/quotas/rate-limit` endpoint is used to create, edit and delete rate limit quotas. ### Create or update a rate limit quota This endpoint is used to create a rate limit quota with an identifier, `name`. A rate limit quota must include a `rate` value with an optional `path` that can either be a namespace or mount, and can optionally include a path suffix following the mount to restrict more specific API paths. | Method | Path | | ------ | ------------------------------ | | `POST` | `/sys/quotas/rate-limit/:name` | #### Parameters * `name` `(string: "")` - The name of the quota. * `path` `(string: "")` - Path of the mount or namespace to apply the quota. A blank path configures a global rate limit quota. For example `namespace1/` adds a quota to a full namespace, `namespace1/auth/userpass` adds a quota to `userpass` in `namespace1`, and `namespace1/kv-v2/data/foo/bar` adds a quota to a specific secret on a K/V v2 mount in `namespace1`. A trailing glob (`*`) can also be added as part of the path after the mount to match paths that share the same prefix prior to the glob. `namespace1/kv-v2/data/foo/*` would match both `namespace1/kv-v2/data/foo/bar` and `namespace1/kv-v2/data/foo/baz`. Updating this field on an existing quota can have "moving" effects. For example, updating `namespace1` to `namespace1/auth/userpass` moves this quota from being a namespace quota to a namespace specific mount quota. Non-global quotas are not inherited by child namespaces. **Note, namespaces are supported in Enterprise only**. * `rate` `(float: 0.0)` - The maximum number of requests in a given interval to be allowed by the quota rule. The `rate` must be positive. * `interval` `(string: "")` - The duration to enforce rate limiting for (default `"1s"`). * `block_interval` `(string: "")` - If set, when a client reaches a rate limit threshold, the client will be prohibited from any further requests until after the 'block\_interval' has elapsed. * `role` `(string: "")` - If set on a quota where `path` is set to an auth mount with a concept of roles (such as `/auth/approle/`), this will make the quota restrict login requests to that mount that are made with the specified role. The request will fail if the auth mount does not have a concept of roles, or `path` is not an auth mount. * `inheritable` `(bool: false)` - If set to `true` on a quota where `path` is set to a namespace, the same quota will be cumulatively applied to all child namespace. The `inheritable` parameter cannot be set to `true` if the `path` does not specify a namespace. Only quotas associated with the root namespace quotas are inheritable by default. #### Sample payload ```json { "path": "", "rate": 897.3, "interval": "2m", "block_interval": "5m" } ``` #### Sample request ```shell-session $ curl \ --request POST \ --header "X-Vault-Token: ..." \ --data @payload.json \ http://127.0.0.1:8200/v1/sys/quotas/rate-limit/global-rate-limiter ``` ### Delete a rate limit quota A rate limit quota can be deleted by `name`. | Method | Path | | -------- | ------------------------------ | | `DELETE` | `/sys/quotas/rate-limit/:name` | #### Sample request ```shell-session $ curl \ --request DELETE \ --header "X-Vault-Token: ..." \ http://127.0.0.1:8200/v1/sys/quotas/rate-limit/global-rate-limiter ``` ### Get a rate limit quota A rate limit quota can be retrieved by `name`. | Method | Path | | ------ | ------------------------------ | | `GET` | `/sys/quotas/rate-limit/:name` | #### Sample request ```shell-session $ curl \ --request GET \ --header "X-Vault-Token: ..." \ http://127.0.0.1:8200/v1/sys/quotas/rate-limit/global-rate-limiter ``` #### Sample response ```json { "request_id": "d0870811-455d-3dfd-459f-aee016e6fb68", "lease_id": "", "lease_duration": 0, "renewable": false, "data": { "block_interval": 300, "interval": 2, "name": "global-rate-limiter", "path": "", "rate": 897.3, "role": "", "type": "rate-limit" }, "warnings": null } ``` ### List rate limit quotas This endpoint returns a list of all the rate limit quotas. | Method | Path | | ------ | ------------------------ | | `LIST` | `/sys/quotas/rate-limit` | #### Sample request ```shell-session $ curl \ --request LIST \ --header "X-Vault-Token: ..." \ http://127.0.0.1:8200/v1/sys/quotas/rate-limit ``` #### Sample response ```json { "auth": null, "data": { "keys": ["global-rate-limiter", "kv-rate-limiter"] }, "lease_duration": 0, "lease_id": "", "renewable": false, "request_id": "ab633ee1-a692-ba03-083b-f1bd91c51c28", "warnings": null, "wrap_info": null } ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.enclaive.cloud/vault/api/system-backend/sys-quotas-rate-limit.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.