Clarification on Rate Limiting Strategies and Potential Workarounds

[isarns]

Hi team 👋

I’ve been working on implementing rate limiting on our router using the "simple" strategy. However, I noticed that once the rate limit is triggered, it applies globally all clients get rate-limited, which isn’t quite what we need.

While researching, I came across your blog post:
📖 Rate Limiting for Federated GraphQL APIs

In the post, you mentioned:

"In addition to the 'simple' rate limiting strategy, we will support more advanced rate limiting strategies in the future, like rate limiting based on the client's IP address, their API key, or a claim in their JWT."

It's been over a year since that was published—so I wanted to check:

• Are any of these more advanced strategies now supported?
• Are there plans or a roadmap for supporting them?
• Is there any known workaround to simulate per-client rate limiting today?

Thanks in advance for any updates or suggestions!

[rajendersaini]

Hi I can verify we can use JWT claims as suffix to bucket the traffic for a specific client, assume you have client_id or some other identifier in the JWT.

I also put up an MR which allows you to override the strategy for a given client.

here - #2409