The API rate limiter policy is a control mechanism that regulates how frequently API requests are allowed to reach Commvault services.
Its primary purpose is to balance sustained traffic and short-time spikes by using the following configuration parameters:
-
Requests per second: Requests per second defines the sustained rate of API requests allowed over time. RPS governs long-term throughput and ensures steady, predictable API consumption.
For example, if RPS = 10, up to 10 requests per second are permitted on a continuous basis. If the incoming traffic consistently exceeds this rate, excess requests are throttled (rate-limited).
-
Burst capacity: Burst capacity defines the number of requests that can be processed instantly within a short time window. It ensures that temporary traffic spikes do not impact long-term fairness or system stability.
For example, if RPS = 10 and Burst = 50, it means up to 50 requests can be handled immediately. After the burst limit is reached, request handling follows the configured RPS rate.
Key capabilities
-
Maintain system stability and performance.
-
Protect backend services from overload.
-
Ensure fair API usage across companies and user groups.
-
Prevent misuse or excessive API consumption.
-
The rate limiter is designed to balance sustained traffic and short-term spikes through configurable parameters.
How the API Rate Limiter policy works
The API Rate Limiter Policy can be applied at multiple levels within the Commvault environment to control and manage API usage. Policies can be configured at CommCell, Company, and user group level.
Note
When you add a rate limiter policy at the CommCell level, by default, the policy is applied to each individual company. For CommCell users, you can define the policy at the user group level.
When an API request is sent to Commvault services, the system evaluates all applicable rate limiter policies before processing the request.
The evaluation process works as follows:
-
Commvault determines which rate limiter policies apply to the request based on the Commcell, company, and user group associated with the request.
-
Each applicable policy is checked to determine whether the request stays within the configured limits, such as Requests Per Second (RPS) and Burst capacity.
-
The request must satisfy all applicable policies. If any policy limit is exceeded, the request is considered over the limit.
-
If a request exceeds any applicable policy limit, the API call is rejected and returns an HTTP status code 429 (Too Many Requests).
For example, if the following policies exist:
-
Company policy: 50 requests per second
-
User group policy: 20 requests per second
A user belonging to that company and user group must stay within the two limits. In this case, the effective limit is the most restrictive one, which is 20 requests per second.