Authenticate the caller
Resolve a workspace-scoped API key before spending upstream network resources.
API rate limit proxy
ThrottleProxy authenticates workspace traffic, approves the destination, applies shared limits, queues eligible bursts, strips proxy credentials, and returns the upstream response within explicit resource boundaries.
Core responsibilities
A useful protection layer also needs tenant scope, destination policy, bounded resource use, credential separation, and privacy-safe operational evidence.
Resolve a workspace-scoped API key before spending upstream network resources.
Permit only approved public host patterns while rejecting unsafe protocols, ports, and private targets.
Apply Redis-backed rate and concurrency decisions consistently across workers.
Hold eligible requests briefly within explicit per-target, key, workspace, and global caps.
Use the ThrottleProxy key only for proxy authentication and strip it before upstream forwarding.
Keep status, stage, timing, and correlation context without storing raw secrets or request bodies.
It is a controlled network layer between an application and approved upstream APIs. It authenticates callers and applies traffic policy before forwarding a request.
No. It helps shape and bound your traffic, but the upstream provider remains authoritative and may enforce additional account, model, endpoint, or time-window limits.
No. ThrottleProxy credentials authenticate the caller to the proxy and are stripped before the outbound request. Provider credentials require a separate explicit mechanism.
No. Destinations must match approved host patterns and pass protocol, port, DNS, private-range, metadata, and self-target safety checks.
Start with one workspace, one application key, one exact public upstream host, and non-sensitive traffic.