Sumudu Sahan Weerasuriya

Application Level Throttling in WSO2 Microgateway with WSO2 API Manager

Hello Geeks!!! 😁😁😁

In this article, I will explain how to do application level throttling with WSO2 Microgateway and WSO2 API Manager.

As you know, WSO2 API Manager is the world’s leading open-source, enterprise-grade API management platform for on-premises, cloud, and hybrid architectures.

WSO2 Microgateway is an API Gateway for micro services, which is cloud-native, decentralized and developer centric.

WSO2 API Microgateway supports resource level, subscription level and application level throttling with micro services.

If we need to expose an API from Microgateway and subscribe that API with multiple applications that have multiple throttling policies, we have multiple throttling policies associated with that API. Therefore, the throttling condition will pick based on the policy that registered with the application.

Eg: You have 2 applications (1 application registered with 5 Requests per 1 Minute throttling policy and other application registered with 2 Requests per 1 Minute throttling policy) and the API has been subscribed with both applications. When you exposing the API through Microgateway, need to apply both policies based on the application.

So, how to achieve this??? 🤔🤔🤔

OK. We can do this in BOSS LEVEL!!! 😎😎😎 Let’s throttle.

For the demonstrate purpose, I will use the WSO2 Microgateway 3.2.1 Runtime, WSO2 Microgateway 3.2.0 Toolkit versions, WSO2 API Manager 3.2.0 version. You can download the WSO2 Microgateway from the official website[1] and WSO2 API Manager from the official website[2]

Let’s start from API creation.

  • Start the API Manager.
  • Go to the admin console. (https://<APIM_HOST>:<APIM_PORT>/admin)
Eg: https://localhost:9443/admin
  • Click on RATE LIMITING POLICIES -> Application Policies
  • Click on Add Policy button and we can add Application Policies by filling the dialog box.
Add Application Policy Popup -WSO2 API Manager 3.2.0

For this case, I will add 2 application policies for multiple application subscriptions.

5 Requests per 1 Minute application policy
2 Requests per 1 Minute application policy

After creating application policies, let’s start to create an API.

  • Go to the publisher portal. (https://<APIM_HOST>:<APIM_PORT>/publisher)
Eg: https://localhost:9443/publisher
  • Click on the drop down Create New API -> Design a New REST API
  • In next page, we can provide a Name for the API, Context and Version, Endpoint (Optional for this page) and Business plan(s) (Optional for this page) and click on Create button.
  • After the above step, you will land to the overview section page of the API as below. Publisher will create the API with GET , PUT, POST, DELETE and PATCH resources with path /* automatically.
  • Click on the Endpoints ->Add button in HTTP/REST Endpoint section and add an endpoint and click on Save button. (For the demonstration purpose, I will add the same mock endpoint for both production and sandbox endpoints as below image.)
  • Click on the Subscriptions section in left navigation and select atleast 1 business plan and click on Save button. (For the demonstration purpose, I will select Unlimited business plan as below image.)
Business Plans — WSO2 API Manager 3.2.0
  • Click on the Lifecycle section in left navigation and click on the Publish button to publish the API. After click on that, you can see a similar output as below image.

OK. Now you have published an API through the Publisher portal. Let’s create a Microgateway project via Toolkit.

  • Execute the below command to create a new Microgateway project.
micro-gw init <project_name>Eg: micro-gw init TEST_API_PROJECT
Microgateway init project — WSO2 Microgateway Toolkit 3.2.0
  • Execute the below command to import the API that you published through the Publisher portal.
micro-gw import -a <API_name> -v <version> <project_name>Eg: micro-gw import -a TEST_API -v 1.0.0 TEST_API_PROJECT
Import API from Publisher to Microgateway Toolkit — WSO2 Microgateway Toolkit 3.2.0
  • After importing the API, you can find the openAPI definition file inside the gen directory inside the project home -> api_definitions directory.

OK. Let’s build the project and run the API.

  • Execute the below command to build the imported project. After executing this command, you can get the runtime artifact inside the project home ->target directory.
micro-gw build <project_name>Eg: micro-gw build TEST_API_PROJECT
Build Microgateway project — WSO2 Microgateway Toolkit 3.2.0

Before running the runtime artifact through Microgateway runtime, we have configure the WSO2 Microgateway runtime to establish the connection with WSO2 API Manager. (To check an validate throttling policies)

  • Go to the extracted WSO2 Microgateway runtime location -> conf directory and open the micro-gw.conf file.
  • Configure the throttling configurations, event hub and binary transport configurations as below. (You have to configure the JMS host, port, username and passwords, TCP and SSL hosts with ports to enable event publishing. From API Manager 3.2.0 version onwards, we have to configure the eventhub as well.)
jmsConnectionProviderUrl = “amqp://admin:admin@carbon/carbon?brokerlist=’tcp://localhost:5672'”
enabled = true
username = “admin”
password = “admin”
receiverURL = “tcp://localhost:9611”
authURL = “ssl://localhost:9711”
enable = true
serviceUrl = “
eventListeningEndpoints = “amqp://admin:admin@carbon/carbon?brokerlist=’tcp://localhost:5672'”

Now, we have to run the runtime artifact through the WSO2 Microgateway runtime. For that, execute the below command.

gateway <PATH_TO_JAR_FILE>/<RUNTIME_ARTIFACT_NAME>.jarEg: gateway /home/sumudu/TEST_API_PROJECT/target/TEST_API_PROJECT.jar
Running the runtime artifact - WSO2 Microgateway Runtime 3.2.1

Now we have to create applications with defined application throttling policies. For that,

  • Go to the dev portal (https://<APIM_HOST>:<APIM_PORT>/devportal)
Eg: https://localhost:9443/devportal
  • Click on the Applications tab -> ADD NEW APPLICATION button to create a new application.
  • Give a name for the application, select the defined throttling policy and click on Save button. (Previously we have created 2 throttling policies. Hence, I will create 2 applications by adding those policies as below.)
Application with 2ReqPerMin throttling policy — WSO2 API Manager 3.2.0
Application with 5ReqPerMin throttling policy — WSO2 API Manager 3.2.0
  • After creating application, select an application and click on the Subscriptions tab in left navigation.
  • Now we have to subscribe the TEST_API to the 5_REQ_PER_MIN_APP. For that, click on the SUBSCRIBE API button and Select a subscription policy and click on SUBSCRIBE button as below image.
Subscribing an API — WSO2 API Manager 3.2.0
  • After making the subscription, you see that as below image.

Do the same thing for the 2_REQ_PER_MIN_APP by subscribing the TEST_API.

  • Now, click on the Production Keys tab and generate application keys by click on the GENERATE KEYS button.
  • After generating application keys, you can generate an access token by invoking the token endpoint. (Please refer to the documentation [3] for more information about grant types and token endpoint)

For the demonstration purpose, I will generate an access token by using password grant type

curl -k -X POST https://localhost:8243/token -d "grant_type=password&username=Username&password=Password" -H "Authorization: Basic Base64(consumer-key:consumer-secret)"Eg: curl -k -X POST https://localhost:8243/token -d "grant_type=password&username=admin&password=admin" -H "Authorization: Basic elllTkM0U0VNN3h2cFp0VEt2RE1QRXhHbW1rYTpUbUhGRlBvc2w2NUl1Qnh2XzU3Q1p5ZnZabmNh"

Let’s invoke the API.

Success Response
  • As you can see, when using the access token generated by using the 5_REQ_PER_MIN_APP credentials, you can see the output. But when invoking the API more than 5 times, you will see the below output.
Throttled Out Response

This means, the application throttling is working properly. 😎😎😎

  • If we use the access token generated by using the 2_REQ_PER_MIN_APP credentials and invoking the API, you can get the success result. But when invoking the API more than 2 times, you will see the below output.
Throttled Out Response

Please refer to the documentation [4] for more information about distributed throttling in WSO2 Microgateway 3.2.0

That’s it!!!

Congratulations!!! Now You can implement application throttling policy in Microgateway with WSO2 API Manager. 😇😇😇

Happy Micro Throttling!!! 😁😁😁





Software Engineer @ WSO2 | WSO2 Certified API Manager Expert | BIT(UCSC) | DiHN | OCPJP | Student Member of CSSL