The API key rate limiting mechanism does not appear to be enforcing the configured request threshold correctly.
An API key configured with a rate limit of 1 request per minute is able to successfully execute multiple requests within the same one-minute window.
This behavior defeats the purpose of rate limiting and may lead to excessive API consumption.
Preconditions
API key exists and is active.
Rate limit is configured as 1 request/minute.
Steps to Reproduce
- Create or use an API key with a rate limit of 1 request/minute.
- Send a successful API request using the key.
- Immediately send one or more additional requests within the same minute.
- Observe the API responses.
Actual Result
- Multiple requests are processed successfully within the same one-minute window.
- No rate limit validation or throttling is triggered.
- No HTTP 429 (Too Many Requests) response is returned.
Expected Result
- Only the first request within the configured one-minute window should be allowed.
- Subsequent requests within the same window should be blocked.
- API should return an appropriate error response (e.g., HTTP 429 Too Many Requests) with a meaningful message indicating the rate limit has been exceeded.
The API key rate limiting mechanism does not appear to be enforcing the configured request threshold correctly.
An API key configured with a rate limit of 1 request per minute is able to successfully execute multiple requests within the same one-minute window.
This behavior defeats the purpose of rate limiting and may lead to excessive API consumption.
Preconditions
API key exists and is active.
Rate limit is configured as 1 request/minute.
Steps to Reproduce
Actual Result
Expected Result