Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
Hello Everyone,
May I know what is the highest rate limiting number we can set with Laravel? I have tried to check with default and via google, but I can't able to get this.
In my project, there will be 100,000 viewers in case of a big launch. So on this scenario, the customers will be accessing the page, which calls the Laravel backend API. Sometimes we are getting 429 status with a message of "Too Many Attempts" error. Can anyone guide me what's the best way to handle this?
FYI: I have already increased the Rate Limit to a high number, but still I am getting the 429 issue.
api.php
Route::middleware('throttle:10000000,1')->group(function () {
Route::get('/api1',[CLASS::class,'method'])->middleware(['auth:sanctum']);
Route::get('/api2',[CLASS::class,'method'])->middleware(['auth:sanctum']);
});
So if anyone can help me on this, it will be appreciated.
Thanks in advance.
The 429 error is not related to a high number of visitors at the same time, but to a unique user who has exceeded the rate limit.
You have to estimate how many request a user can do per minute and configure the rate limit according to.
Can somebody confirm ?
Thanks @vincent15000 for replying.
Yes, you're right. The 429 error happens based on the IP. In our case, the client is having a separate system(both Frontend and Backend). In this they are calling our laravel application via their Backend.
So in this case, in case of multiple users from frontend, it has been considered as single user request(Since its from Backend)
While checking today, I have found that it laravel works as below.
Provided RouteServiceProvider.php as Limit 2, Provided api.php as Limit 5, Returned 200 -> 2 times.
Provided RouteServiceProvider.php as Limit 2, Provided api.php as Limit 1, Returned 200 -> 1 times.
I am thinking of implementing a Custom RouteServiceProvider for my API's. And then giving them the larger Rate limiting to avoid this issue. Can anyone suggest if this is recommended way or any other best way to approach this problem?
Thanks.
@bala_dev I'm not sure it's a good idea to give the largest rate limit. If you do so, you would be exposed to brute force password cracking.
There is probably a better way : set the required rate limit for your client and apply this rate limit only for this client (and your client would be identified by his IP address).
If requests are coming from another server, you can whitelist the server so that it is not subjected to any rate limiting.
The rate limiting should be applied on the user facing server.
Please or to participate in this conversation.