This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit

Managing Throttling

This section guides you through the following areas:

IP Whitelisting

IP whitelisting is a way of configuring a filter to extract a particular set of known IP addresses and grant the access to the given assets for requests comes from those IPs only. With introducing Advanced Throttling in WSO2 API Manager you can achieve IP whitelisting via the throttling features provided by Traffic Manager. For this we are creating an Advanced Throttling policy and attach it to the API.

Creating the Advanced Throttling policy
  1. Login to the admin portal of WSO2 API Manager (https://<ip_address>:9443/admin).
  2. Open Throttling Policies tab and navigate to Advanced Throttling.
  3. Click ADD NEW POLICY to add a new Throttling tier.
  4. Fill the details as below and click Add Conditional Group.
  5. Open the Conditional Group added and fill the details.

     IP Condition PolicyChecked
    IP Condition TypeSpecific IP
    IP Address
    <IP_Address_to_be_whitelisted> E.g.
    Invert ConditionChecked (If Invert Condition check then condition only apply to the IPs which not mention in IP Address above)
    Request Count0
    Unit Time

    10 Year(s)

    The policy will be re-enforced for every unit time. Each time the policy is enforced a minimum of 1 request will be allowed to pass before blocking the requests. Having a smaller unit time will increase the frequency of requests passing through. Hence, having an larger unit time is suitable to minimize the number of requests passing through.

    Following is a example configuration.

    In above configuration we are whitelisting a Specific IP.

    You can whitelist a rang of IP as well by selecting IP Range for the IP Condition Type in the Conditional Group and specifying the range.

  6. Click Save

    You have successfully created the policy. Now we should engage this policy to an API.
Engage the policy with an API
  1. Login to API Publisher https://<IP_address>:9443/publisher.
  2. Edit API and go to Manage tab.
  3. Enable Apply to API under Advance Throttling Policies and select the newly created Throttling policy.
  4. Save and Publish the API.
    Now the API will be accessible only by the IP specified in the throttling policy.

    Since it takes some time to deploy the policy, the first few requests from the IPs other than the white-listed IP/IPs will be passed through. After the policy is successfully deployed, non-white-listed IP access will be blocked.

    API-M Throttling is asynchronous. When you apply a new whitelisting condition, note that at least one request has to go through for the condition to be applied

Blacklisting requests

By blacklisting requests, you can protect servers from common attacks and abuse by users. For example, if a malicious user misuses the system, all requests received from that particular user can be completely blocked. Tenant administrative users can block requests based on the following parameters:

  • Block calls to specific APIs
  • Block all calls from a given application
  • Block requests coming from a specific IP address
  • Block a specific user from accessing APIs

To blacklist a request, 

  1. Log in to the Admin Portal using the URL https://localhost:9443/admin and your admin credentials.
  2. Click Black List under the Throttle Policies section and click Add Item.

Select the item to black list, enter a value and click Blacklist.

Note that you have to use "/" always infront of the ${context} value when blacklisting the APIs with API context. E.g. /test/1.0.0. The sample provided in the product does not include "/" due to a known issue.

You can temporary on/off the blacklisting condition by enabling/disabling the Condition status that is auto enabled when a blacklisting condition is created.

Blacklisting PhoneVerification API

As described above you can blacklist requests for APIs, by Applications, to IP Addresses and for Users. Let's see how we can blacklist the requests come to the PhoneVerification API that we published in Quick Start Guide.

  1. Log in to the Admin Portal using the URL https://localhost:9443/admin and your admin credentials.
  2. Click Black List under the Throttle Policies section and click Add Item.
  3. Select API Context and provide the Context of PhoneVerification API with version as the Value.
  4. Click Blacklist.
  5. Now login to API Store using the URL https://localhost:9443/store and invoke the API.
    You will see the following response.