Skip to content

feat: tiered rate-limit policies driven by API key plan tier#440

Merged
greatest0fallt1me merged 1 commit into
CalloraOrg:mainfrom
temisan0x:feature/tiered-rate-limits
Jun 25, 2026
Merged

feat: tiered rate-limit policies driven by API key plan tier#440
greatest0fallt1me merged 1 commit into
CalloraOrg:mainfrom
temisan0x:feature/tiered-rate-limits

Conversation

@temisan0x

@temisan0x temisan0x commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

Closes #389

The gateway used one maxRequests/windowMs pair for every API key. This wires rate limits to each key's plan_tier instead.

How it works

  1. Migration 0007 adds plan_tier to api_keys (free / pro / enterprise, default free)
  2. gatewayApiKeyAuth reads plan_tier from the DB and sets res.locals.apiKeyTier
  3. proxyRoutes passes that tier into rateLimiter.check(apiKey, tier?)
  4. rateLimiter picks the policy from a tier map; unknown or missing tiers fall back to the existing defaults (with a warning log for unknown values)

Defaults: free 100/min, pro 500/min, enterprise 5000/min. You can override via tierPolicies on RateLimiterConfig if needed.

Docs are in docs/tiered-rate-limits.md.

Testing

npm test -- rateLimiter

31 tests pass (rateLimiter.test.ts + rateLimiter.tiered.test.ts) — per-tier ceilings, fallback behaviour, custom overrides, bucket isolation.

Deploy note

Run 0007_add_plan_tier_to_api_keys.sql before shipping.

CI

npm run typecheck is already red on main (~49 errors in webhook/settlement/vault files, etc.). None of those touch files in this PR.

- Add plan_tier column to api_keys (migration CalloraOrg#7)
- Extend RateLimiterConfig with tierPolicies map
- StoreBackedRateLimiter.check() resolves per-tier policy
- Unknown tier warns + falls back to default
- gatewayApiKeyAuth sets res.locals.apiKeyTier from DB record
- proxyRoutes passes tier into rateLimiter.check()
- 31 tests passing (tiered + existing suite)

Closes CalloraOrg#389
@drips-wave

drips-wave Bot commented Jun 25, 2026

Copy link
Copy Markdown

@temisan0x Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits

@greatest0fallt1me greatest0fallt1me merged commit dba2423 into CalloraOrg:main Jun 25, 2026
1 check failed
@greatest0fallt1me

Copy link
Copy Markdown
Contributor

tiered rate-limit policies driven by the api-key plan tier is a clean way to differentiate plans. i rebased it onto main — your tier field merged in cleanly right alongside the new scopes field. merged 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Implement tiered rate-limit policies in rateLimiter driven by API key plan tier

2 participants