Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

rodosabbath's avatar

Advice on configuring Rate Limiting for unauthenticated users

Hi guys, beginner here looking for some tips.

I'm working on a project with Laravel 11.x and would like to make some custom configurations to the requests being made to the application. So far I'm using Sanctum for auth and have guarded the routes with it.

If users making requests are unauthenticated, could it be possible to block their requests for an specified amount of time?

I was making some tests making unauth requests and the Sanctum middleware is always cathcing the AuthorizationException.

I'm not sure exactly what change would need to be done here for this to work.

Appreciate any advice

api.php

Route::middleware(['auth:sanctum', 'throttle:unauthenticated'])->group(function () {
    Routes here..
});

AppServiceProvider.php

public function boot(): void
    {   
          RateLimiter::for('unauthenticated', function (Request $request) {
            $user = $request->user();
            return Limit::perMinute(5)
                 ->by($request->ip())
                ->response(function() {
                    return response('Limit of unauth requests achieved.', 429);
                });
        });
    }
0 likes
3 replies
martinbean's avatar
martinbean
1 year ago
Best Answer
Level 80

@rodosabbath The Laravel docs shows you an example of defining different rate limits for guests versus authenticated users. From https://laravel.com/docs/11.x/routing#segmenting-rate-limits:

To illustrate this feature using another example, we can limit access to the route to 100 times per minute per authenticated user ID or 10 times per minute per IP address for guests:

RateLimiter::for('uploads', function (Request $request) {
    return $request->user()
                ? Limit::perMinute(100)->by($request->user()->id)
                : Limit::perMinute(10)->by($request->ip());
});

So for authenticated users, they’re rate-limited to 100 requests per minutes. Guests are rate-limited to 10 request per minute.

1 like

Please or to participate in this conversation.