To maintain performance and availability across a diverse base of client apps, it's critical
to maintain app traffic within the limits of the capacity of your APIs and backend services. It's
also important to ensure that apps don't consume more resources than permitted.
Apigee provides two policies that enable you to optimize traffic management to
minimize latency for apps while maintaining the health of backend services. Each policy type
addresses a distinct aspect of traffic management. In some cases, you might use both policy
types in a single API proxy.
SpikeArrest policy
The SpikeArrest policy protects against traffic surges. This
policy limits the number of requests processed by an API proxy and sent to a backend,
protecting against performance lags and downtime.
This policy should be
used to prevent sudden traffic bursts caused by malicious attackers attempting to disrupt a
service using a denial-of-service (DOS) attack or by buggy client applications.
This policy enforces consumption limits on client apps by maintaining a distributed 'counter'
that tallies incoming requests. The counter can tally API calls for any identifiable entity,
including apps, developers, API keys, access tokens, and so on. Usually, API keys are used to
identify client apps. This policy is computationally expensive so, for high-traffic APIs, it
should configured for longer time intervals, such as a day or month. This policy should be used
to enforce business contracts or SLAs with developers and partners, rather than for operational
traffic management.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-26 UTC."],[[["\u003cp\u003eThis page provides information regarding traffic management using Apigee and Apigee hybrid.\u003c/p\u003e\n"],["\u003cp\u003eThe SpikeArrest policy is used to protect against traffic surges, limiting the number of requests processed by an API proxy.\u003c/p\u003e\n"],["\u003cp\u003eThe Quota policy enforces consumption limits on client apps by tracking incoming requests, making it ideal for business contract or SLA enforcement.\u003c/p\u003e\n"],["\u003cp\u003eBoth policies aim to maintain the performance and availability of APIs and backend services, and might be used simultaneously.\u003c/p\u003e\n"]]],[],null,["# Rate-limiting\n\n*This page\napplies to **Apigee** and **Apigee hybrid**.*\n\n\n*View [Apigee Edge](https://docs.apigee.com/api-platform/get-started/what-apigee-edge) documentation.*\n\nTo maintain performance and availability across a diverse base of client apps, it's critical\nto maintain app traffic within the limits of the capacity of your APIs and backend services. It's\nalso important to ensure that apps don't consume more resources than permitted.\n\nApigee provides two policies that enable you to optimize traffic management to\nminimize latency for apps while maintaining the health of backend services. Each policy type\naddresses a distinct aspect of traffic management. In some cases, you might use both policy\ntypes in a single API proxy.\n\nSpikeArrest policy\n------------------\n\nThe SpikeArrest policy protects against traffic surges. This\npolicy limits the number of requests processed by an API proxy and sent to a backend,\nprotecting against performance lags and downtime.\n\nThis policy should be\nused to prevent sudden traffic bursts caused by malicious attackers attempting to disrupt a\nservice using a denial-of-service (DOS) attack or by buggy client applications.\n\nSee [SpikeArrest\npolicy](/apigee/docs/api-platform/reference/policies/spike-arrest-policy).\n\nQuota policy\n------------\n\nThis policy enforces consumption limits on client apps by maintaining a distributed 'counter'\nthat tallies incoming requests. The counter can tally API calls for any identifiable entity,\nincluding apps, developers, API keys, access tokens, and so on. Usually, API keys are used to\nidentify client apps. This policy is computationally expensive so, for high-traffic APIs, it\nshould configured for longer time intervals, such as a day or month. This policy should be used\nto enforce business contracts or SLAs with developers and partners, rather than for operational\ntraffic management.\n\nSee [Quota policy](/apigee/docs/api-platform/reference/policies/quota-policy)."]]
