API Reference
Base URL: http://localhost:8080 (default)
Decision APIs
Core endpoints for rate-limit evaluation and concurrency control.
POST /v1/check
Evaluate a rate-limit decision for a request context.
Request Body
{
"request_id": "req-1",
"org_id": "acme",
"tenant_id": "retail",
"signal_type": "http",
"operation": "charge",
"endpoint": "/v1/charge",
"method": "POST",
"user_id": "u1",
"tags": { "env": "production" }
}Response (200 OK)
{
"allowed": true,
"action": "allow",
"reason": "within_limit",
"matched_policy_id": "payments-limit",
"remaining": 99,
"retry_after": 0,
"shadow_mode": false
}
Tip
All fields in the request body are optional except
signal_type. The engine matches the most specific policy based on provided fields.
POST /v1/acquire
Acquire a concurrency lease. Use with concurrency limiter algorithm.
Request Body
{
"request_id": "req-2",
"org_id": "acme",
"signal_type": "http",
"operation": "heavy-query",
"user_id": "u1"
}Response
{
"allowed": true,
"action": "allow",
"reason": "lease_acquired",
"remaining": 4
}POST /v1/release
Release a previously acquired concurrency lease.
Request Body
{
"request_id": "req-2",
"org_id": "acme",
"signal_type": "http",
"operation": "heavy-query",
"user_id": "u1"
}Response
{
"allowed": true,
"action": "allow",
"reason": "lease_released"
}Policy CRUD
GET /v1/policies
List all policies.
Response
[
{
"policy_id": "payments-limit",
"name": "Payments limit",
"enabled": true,
"priority": 100,
"scope": { "org_id": "acme", "signal_type": "http", "operation": "charge" },
"algorithm": { "type": "fixed_window", "limit": 100, "window": "1m" },
"action": "deny",
"failure_mode": "fail_open",
"enforcement_mode": "enforce",
"rollout_percent": 100
}
]POST /v1/policies
Create a new policy.
Request Body
{
"policy_id": "payments-limit",
"name": "Payments limit",
"enabled": true,
"priority": 100,
"scope": {
"org_id": "acme",
"signal_type": "http",
"operation": "charge"
},
"algorithm": {
"type": "fixed_window",
"limit": 100,
"window": "1m"
},
"action": "deny",
"failure_mode": "fail_open",
"enforcement_mode": "enforce",
"rollout_percent": 100
}GET /v1/policies/{id}
Get a specific policy by ID.
PUT /v1/policies/{id}
Update an existing policy. The full policy body is required.
DELETE /v1/policies/{id}
Delete a policy by ID.
Policy Lifecycle APIs
POST /v1/policies/validate
Validate a policy definition before deployment.
Request
{
"name": "Validation sample",
"enabled": true,
"scope": { "signal_type": "http", "operation": "charge" },
"algorithm": { "type": "fixed_window", "limit": 10, "window": "1m" },
"action": "deny",
"rollout_percent": 50
}Response
{ "valid": true }POST /v1/policies/{id}/rollout
Update the rollout percentage for gradual enforcement.
{ "rollout_percent": 25 }POST /v1/policies/{id}/rollback
Roll back to a specific previous version.
{ "version": 1 }GET /v1/policies/{id}/audit
Get the audit trail for a policy — all changes with timestamps, action types, old/new values.
GET /v1/policies/{id}/versions
Get all historical versions of a policy for review or rollback.
Analytics
GET /v1/analytics/summary
Get a summary of decision events with tag aggregation.
Query Parameters
| Param | Type | Description |
|---|---|---|
top | integer | Return only top N entries (optional) |
Example
curl http://localhost:8080/v1/analytics/summary?top=5Sidecar / Agent Endpoints
Default port: :18080
| Method | Endpoint | Description |
|---|---|---|
| POST | /v1/check | Local rate-limit decision (proxied to upstream) |
| GET | /healthz | Health check |
| GET | /v1/agent/status | Agent status and metadata |
| POST | /v1/agent/invalidate | Trigger cache invalidation |
gRPC Service
Proto definition: api/proto/rlaas.proto | Default port: :9090
service RateLimitService {
rpc CheckLimit(CheckLimitRequest) returns (CheckLimitResponse);
rpc Acquire(AcquireRequest) returns (AcquireResponse);
rpc Release(ReleaseRequest) returns (ReleaseResponse);
}The gRPC service exposes the same decision logic as the HTTP API. Generate client stubs from the proto file for any language.
RequestContext Object
Sent as the body of decision API calls. All fields are optional except as noted.
| Field | Type | Description |
|---|---|---|
request_id | string | Unique request identifier |
org_id | string | Organization identifier |
tenant_id | string | Tenant identifier |
application | string | Application name |
service | string | Service name |
environment | string | Environment (prod, staging, dev) |
signal_type | string | http, grpc, log, trace, event, auth, job, custom |
operation | string | Operation name |
endpoint | string | Endpoint path |
method | string | HTTP method or gRPC method |
user_id | string | User identifier |
api_key | string | API key |
client_id | string | Client identifier |
source_ip | string | Source IP address |
region | string | Region identifier |
resource | string | Resource name |
severity | string | Log severity level |
span_name | string | Trace span name |
topic | string | Message topic |
consumer_group | string | Consumer group name |
job_type | string | Background job type |
quantity | int64 | Cost per request (default 1) |
tags | map<string,string> | Custom key-value tags |
Decision Object
Returned by decision API calls.
| Field | Type | Description |
|---|---|---|
allowed | bool | Whether the request is allowed |
action | string | allow, deny, delay, sample, drop, shadow_only, ... |
reason | string | Explanation (within_limit, limit_exceeded, ...) |
matched_policy_id | string | ID of the policy that matched |
remaining | int64 | Remaining quota in current window |
retry_after | duration | When to retry (for deny/delay) |
shadow_mode | bool | Whether this was a shadow-only evaluation |
metadata | map | Additional decision metadata |
Policy Object
Used for policy CRUD operations.
| Field | Type | Description |
|---|---|---|
policy_id | string | Unique policy identifier |
name | string | Human-readable name |
enabled | bool | Whether the policy is active |
priority | int | Higher = more important |
scope | PolicyScope | Matching dimensions |
algorithm | AlgorithmConfig | Algorithm type and config |
action | string | Action when limit exceeded |
failure_mode | string | fail_open or fail_closed |
enforcement_mode | string | enforce or shadow |
rollout_percent | int | 0–100, progressive rollout |
metadata | map | Extra metadata (match_expr, etc.) |
Error Format
All error responses return a JSON body with a descriptive message:
{
"error": "policy not found",
"status": 404
}