Open In App

How to throttle API with Django Rest Framework

Have you ever passed through an overbridge and noticed the sign stating the bridge weight restriction? Those restrictions are put in place to ensure public safety. Django REST Framework uses a similar process named throttling that controls the rate of requests that the client can make to an API. This rate limit restriction can ensure scalability, protection against slow performance and denial-of-service (DoS) attacks, and improve overall user experience. 

The Django REST Framework has three throttling classes in the rest_framework.throttling module — AnonRate, UserRate, and ScopedRate throttle. All these classes specify throttling rules that signify the maximum number of requests in a given time within the scope. These classes have different mechanisms to specify the scope – to compare previous information with the new request. Let’s dig deep into the DRF throttling feature.

Note: Please refer to Adding Permission in API – Django REST Framework and Customizing Object Level Permissions – Django REST Framework to make use of permission with throttling


AnonRateThrottle will throttle unauthenticated users. Using the IP address of the incoming request, a unique key is generated to throttle against. The allowed request rate is determined from any of the following:

Let’s set the throttling policy globally. You can open the file and mention the throttle class and throttle rate  as below:

        'anon': '2/day'

You can include second, minute, hour, or day as the throttle period (THROTTLE RATES). 

Let’s try the HTTPie command to retrieve the robots. Here, we retrieve the list without providing any credentials.

http GET :8000/robot/


HTTP/1.1 200 OK
Content-Language: en
Content-Length: 2106
Content-Type: application/json
Date: Sat, 02 Oct 2021 14:29:40 GMT
Referrer-Policy: same-origin
Server: WSGIServer/0.2 CPython/3.7.5
Vary: Accept, Accept-Language
X-Content-Type-Options: nosniff
X-Frame-Options: DENY

        "currency": "USD",
        "currency_name": "US Dollar",
        "manufacturer": "ABB",
        "manufacturing_date": "2020-05-10T00:00:00Z",
        "name": "IRB 1100",
        "owner": "sonu",
        "price": 25000,
        "robot_category": "Articulated Robots",
        "url": "http://localhost:8000/robot/7/"
        "currency": "USD",
        "currency_name": "US Dollar",
        "manufacturer": "ABB",
        "manufacturing_date": "2020-08-10T00:00:00Z",
        "name": "IRB 120",
        "owner": "sonu",
        "price": 35000,
        "robot_category": "Articulated Robots",
        "url": "http://localhost:8000/robot/8/"

Here, the anon throttle rate is set as 2 API requests per day. So, it doesn’t allow more than two requests. You will get below output if your request rate exceeds 2 requests.


UserRateThrottle controls the rate of requests send by both authenticated and unauthenticated users. The user id is the unique cache key for authenticated requests, and the IP address is the unique cache key for unauthenticated requests. 

The allowed request rate is determined from any of the following:

You can edit the REST_FRAMEWORK dictionary as follows:

        'anon': '2/day',
        'user': '5/day'

The throttling rules in our REST_FRAMEWORK dictionary are as below:

The below authenticated HTTPie command allows 5 requests per day.

http -a “sonu”:”sn@pswrd” GET :8000/robot/

The restful web service raises too many requests for more than 5 requests per day.


The ScopedRateThrottle class controls the rate of requests for specific features in our RESTFul web service. Here the view that is being accessed should include the .throttle_scope property. Let’s add a throttle scope to our RobotDetail class and mention the throttle rate for the scope.

First, let’s import the ScopedRateThrottle.

from rest_framework.throttling import ScopedRateThrottle

Now add the below lines of code 

throttle_scope = 'robots'
throttle_classes = (ScopedRateThrottle,)

Our RobotDetail class looks as follows:

class RobotDetail(generics.RetrieveUpdateDestroyAPIView):
    throttle_scope = 'robots'
    throttle_classes = (ScopedRateThrottle,)
    permission_classes = (
    queryset = Robot.objects.all()
    serializer_class = RobotSerializer
    name = 'robot-detail'

Next, let’s add the throttle rate for the scope ‘robots’.

        'anon': '2/day',
        'user': '5/day',
        'robots': '3/day'

Let’s try the authenticated HTTPie request to retrieve the robot based on the id, which makes use of RobotDetail class to fetch the robot based on the id. The command is as follows:

http -a “sonu”:”sn@pswrd” GET :8000/robot/2/


Here, our scope rate is 3 requests per day. We will get too many requests if it exceeds 3 requests. The output for the 4th request is as follows:

Article Tags :