POST
/
v2
/
ratelimit.limit
Go (SDK)
package main

import(
	"context"
	"os"
	unkey "github.com/unkeyed/sdks/api/go/v2"
	"github.com/unkeyed/sdks/api/go/v2/models/components"
	"log"
)

func main() {
    ctx := context.Background()

    s := unkey.New(
        unkey.WithSecurity(os.Getenv("UNKEY_ROOT_KEY")),
    )

    res, err := s.Ratelimit.Limit(ctx, components.V2RatelimitLimitRequestBody{
        Namespace: "api.requests",
        Cost: unkey.Int64(5),
        Duration: 60000,
        Identifier: "user_abc123",
        Limit: 100,
    })
    if err != nil {
        log.Fatal(err)
    }
    if res.V2RatelimitLimitResponseBody != nil {
        // handle response
    }
}
{
  "data": {
    "limit": 100,
    "remaining": 99,
    "reset": 1714582980000,
    "success": true
  },
  "meta": {
    "requestId": "req_01H9TQPP77V5E48E9SH0BG0ZQX"
  }
}

Authorizations

Authorization
string
header
required

Unkey uses API keys (root keys) for authentication. These keys authorize access to management operations in the API. To authenticate, include your root key in the Authorization header of each request:

Authorization: Bearer unkey_123

Root keys have specific permissions attached to them, controlling what operations they can perform. Key permissions follow a hierarchical structure with patterns like resource.resource_id.action (e.g., apis.*.create_key, apis.*.read_api). Security best practices:

  • Keep root keys secure and never expose them in client-side code
  • Use different root keys for different environments
  • Rotate keys periodically, especially after team member departures
  • Create keys with minimal necessary permissions following least privilege principle
  • Monitor key usage with audit logs.

Body

application/json
namespace
string
required

The id or name of the namespace.

Required string length: 1 - 255
Example:

"sms.sign_up"

duration
integer
required

Sets the rate limit window duration in milliseconds after which the counter resets. Shorter durations enable faster recovery but may be less effective against sustained abuse. Common values include 60000 (1 minute), 3600000 (1 hour), and 86400000 (24 hours). Balance user experience with protection needs when choosing window sizes.

Required range: 1000 <= x <= 2592000000
Example:

60000

identifier
string
required

Defines the scope of rate limiting by identifying the entity being limited. Use user IDs for per-user limits, IP addresses for anonymous limiting, or API key IDs for per-key limits. Accepts letters, numbers, underscores, dots, colons, slashes, and hyphens for flexible identifier formats. The same identifier can be used across different namespaces to apply multiple rate limit types. Choose identifiers that provide appropriate granularity for your rate limiting strategy.

Required string length: 1 - 255
Example:

"user_12345"

limit
integer
required

Sets the maximum operations allowed within the duration window before requests are rejected. When this limit is reached, subsequent requests fail with RATE_LIMITED until the window resets. Balance user experience with resource protection when setting limits for different user tiers. Consider system capacity, business requirements, and fair usage policies in limit determination.

Required range: 1 <= x <= 1000000
Example:

1000

cost
integer
default:1

Sets how much of the rate limit quota this request consumes, enabling weighted rate limiting. Use higher values for resource-intensive operations and 0 for tracking without limiting. When accumulated cost exceeds the limit within the duration window, subsequent requests are rejected. Essential for implementing fair usage policies and preventing resource abuse through expensive operations.

Required range: 0 <= x <= 1000
Example:

5

Response

Rate limit check completed successfully. Check the success field to determine if the request is allowed.

meta
object
required

Metadata object included in every API response. This provides context about the request and is essential for debugging, audit trails, and support inquiries. The requestId is particularly important when troubleshooting issues with the Unkey support team.

data
object
required