API abuse prevention

Layer destination and resource controls before opening an upstream connection

ThrottleProxy combines workspace authentication, precise allowlists, private-network blocking, pinned DNS results, safe ports, credential stripping, exact key lookup, and bounded resource use. These controls reduce abuse risk; they do not replace network-edge protection.

SSRF controlsAtomic capsSafe timeouts

Practical boundaries

Abuse resistance comes from several independent limits

Reject unsafe targets

Block local, private, reserved, metadata, unsafe-protocol, credential-bearing, and unsafe-port destinations.

Pin validated DNS

Use the validated public address while preserving TLS verification, SNI, and the intended Host.

Match hosts precisely

Plain patterns match exactly and wildcards match one subdomain level only.

Avoid lookup amplification

Use a hash and one exact Redis lookup for every presented proxy key.

Cap admission atomically

Enforce per-target, key, workspace, and global queue or concurrency limits with Redis scripts.

Bound every stream

Count request and response bytes and enforce idle plus absolute upstream deadlines.

Good fit

  • Reviewed public API destinations with predictable protocols and ports.
  • Teams that need resource limits around valid but potentially abusive keys.
  • Applications that can combine proxy controls with edge and provider protections.

Not a replacement for

  • A DDoS scrubbing network or replacement for edge rate limiting.
  • Arbitrary private-network access or URL fetching.
  • A guarantee that an upstream provider cannot degrade or reject traffic.

Common questions

Can a valid workspace key reach localhost or cloud metadata?

No. Local names, private and reserved ranges, metadata addresses, and unsafe DNS answers are rejected.

Can chunked bodies bypass size limits?

Request and response limits count streamed bytes rather than trusting Content-Length alone.

Are global abuse controls complete?

No. Per-IP edge limits, network-level slow-client mitigation, and broader abuse telemetry remain separate infrastructure work.

Start with one narrow integration

Use one workspace key, one exact public host, and non-sensitive test traffic.

Open quick start