Unauthorized Usage Plans

In this guide you are going to apply an Unauthorized Usage Plan that is associated with the version of an API Product in an Environment. An Unauthorized Usage Plan can specify a rate limit policy for all users without requiring authentication.


You will need these things in place to follow the guide:

Adding an Unauthorized UsagePlan group to an API Product in an Environment

API Products that have been added to an Environment may have Usage Plans to determine how users and groups may access and use the API. If there are no plans associated with an API Product, then everyone has unauthenticated and unlimited access. For cases where we do not want to require Authentication, but do want to enforce Rate Limiting, we will need an Unauthorized Usage Plan.

We will update the configuration of the Petstore API Product in the Development Environment to include the Unauthorized usage plan:

cat << EOF | kubectl apply -f-
apiVersion: portal.gloo.solo.io/v1beta1
kind: Environment
  name: dev
  namespace: default
  - api.example.com
  # If you are using Gloo Edge and the Gateway is listening on a port other than 80,
  # you need to include a domain in this format: <DOMAIN>:<PORT>.
  - api.example.com:${INGRESS_PORT}
    description: This environment is meant for developers to deploy and test their APIs.
    displayName: Development
        displayName: Unauthorized plan with global rate limit
            global: {}
          requestsPerUnit: 3
          unit: MINUTE
  - namespaces:
    - "*"
    - key: app
      operator: Equals
      - petstore
      - stable
    - noauth

We have now created a usage plan that limits all traffic for the Petstore API Product to 3 requests per minute.

If there is an Unauthorized UsagePlan on a particular Product, it must be the only plan on the Product
You must specify the type of rate limiting to apply for the UsagePlan. At this time Unauthorized plans only support global rate-limiting, which limits all traffic collectively and can be specified with "global: {}".

Testing the Unauthorized Plan

In order to directly request the Product, you will need to update your hosts file to map api.example.com to the IP address of the ingress controller. If you haven't already done so from the Getting Started exercise, you will need to do the following.

Then let's add the entry for the api.example.com domains:

cat <<EOF | sudo tee -a /etc/hosts

# Added for Gloo Portal Guides
${INGRESS_HOST} api.example.com

We can request the API using curl:

curl "http://api.example.com:${INGRESS_PORT}/api/pets" -H  "accept: application/json" -v

We will get a response with a JSON object and a status code of 200:

> GET /api/pets HTTP/1.1
> Host: api.example.com
> User-Agent: curl/7.64.1
> Accept: */*
< HTTP/1.1 200 OK
< content-type: application/xml
< date: Wed, 29 Mar 2023 22:42:41 GMT
< content-length: 86
< x-envoy-upstream-service-time: 0
< server: envoy

Note that the request does not include any authentication.

We did place a rate limit of three operations per minute in our Usage Plan. If we execute requests three times in rapid succession, the fourth request will receive an empty response with a status code of 429:

> GET /api/pets HTTP/1.1
> Host: api.example.com
> User-Agent: curl/7.64.1
> Accept: */*
< HTTP/1.1 429 Too Many Requests
< x-envoy-ratelimited: true
< date: Wed, 29 Mar 2023 22:44:09 GMT
< server: envoy
< content-length: 0
Though no authentication is necessary to use a Product with an Unauthorized plan, users are required to log in to the Portal UI in order to use the Try it Out feature


In this guide we applied an Unauthorized Usage Plan to an API Product in order to enforce a rate-limiting policy despite not requiring authentication.

Next steps

You may want to learn more about applying Usage Plans that require authentication. Check out the Users and Groups guide to learn about API Key plans or OAuth guide to learn about OAuth plans.