L The IntegrAuth Lab

← All practicals

P6

Hit a real rate limit

Hammer a demo endpoint and watch the fixed-window limiter fire a 429.

  1. 1

    Send requests to the demo endpoint.

    Each response carries X-RateLimit-Limit and X-RateLimit-Remaining — the standard headers an API gateway returns so clients can back off.

  2. 2

    Send an 11th within the same minute.

    A fixed-window counter (10/min per user) returns 429 rate_limited with Retry-After — the front-door defense against abuse and brute force.

Do it

The limiter allows 10 requests/minute per user. Fire 11 and watch the headers count down to the 429.

🩻 X-ray — what actually happened

Your own insert-only audit trail — the real server events, sanitized (never a secret), each linked to the lesson that explains it.

Loading…