Rate Limiting Throttle abuse, protect capacity.
Granular, distributed rate limiting for your APIs and web apps. Define limits per IP, per token, per route, or per user, and Karbon enforces them at the edge — protecting origin capacity and blunting brute-force, scraping, and abuse.
Multi-dimensional keys
Limit by IP, API token, header, route, or authenticated user — or any combination — for surgical control.
Distributed enforcement
Counters are shared across the edge, so a client can't dodge limits by hopping points of presence.
Burst + sustained
Allow short bursts while capping sustained throughput, matching how real clients and real abuse actually behave.
Graceful responses
Return proper 429s with Retry-After headers so well-behaved clients back off instead of retrying blindly.
Frequently asked questions
- Where are limits enforced?
- At the edge, before traffic reaches your origin. That means abusive load is shed early and your servers only ever see traffic within budget.
- Can I rate-limit per user instead of per IP?
- Yes. Limits can key on API token, authenticated user, header, or route — not just IP — so shared-NAT users aren't unfairly grouped and abusers can't rotate IPs to escape.
- Does it help against brute force?
- Directly. Tight limits on login and token endpoints make credential brute-forcing and token cracking economically pointless.