API limits

Introduction

Limiting the depth and/or rate of API requests can help prevent API performance issues caused by malicious or poorly implemented queries.

Configuring an API limit

Rate limits
Restricts number of GraphQL operations per minute. This uses a sliding window approach. This means whenever Hasura Pro receives a request, it will count the rate of that client starting from the current time to last one minute.
Depth limits
Restricts a GraphQL operation based on its depth, preventing deeply nested queries.
Node limits

Restricts a GraphQL operation based on the number of nodes. This helps in limiting the number of different pieces of related data to be fetched.

A node is defined as a field with a selection set.

For example, in the below query the number of nodes is 3 and they are author, articles and homepage_entries.

{
  author {
    name
    articles {
      id
      title
    }
  }
  homepage_entries {
    article_id
  }
}

API limits are defined by role (anonymous, user) and can restrict request rate, depth, or both. Unique request parameters can include IP address or session variables (x-hasura-user-id, x-hasura-org-id, etc.)

Manage API limits

API limits can have a global or per role configuration. If an incoming request does not contain a valid role then the global limit is applied.

Hasura Cloud Console api limit tab

Admin & IntrospectionQuery exemptions

All API limits are not applied for the admin role, and depth limits are NOT applied to introspection queries

Quick-create limits

Hasura Cloud lets you add limits with one click from the list of past operations.

Hasura Cloud Console create new api limit