Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
I have three groups within an "auth:api" middleware block:
Route::middleware('auth:api')->group(function () {
Route::middleware('throttle:5,1,one')->group(function () {
Route::get('one', function () {
return 'one';
});
});
Route::middleware('throttle:10,1,two')->group(function () {
Route::get('two', function () {
return 'two';
});
});
Route::middleware('throttle:15,1,three')->group(function () {
Route::get('three', function () {
return 'three';
});
});
});
My intention is to have each of the three GET routes to have their own independent limits.
When I issue five quick GET requests to the "one" route, it gives a 429 error as expected. However, immediately issuing a GET request to the "two" or "three" routes, they also give a 429 promptly.
Note that I have disabled the default throttle setting in Kernel.php:
'api' => [
// 'throttle:60,1',
'bindings',
],
Hopefully I'm missing something obvious. Is this normal behaviour? How can I make these all have their own limits? I've scoured all sorts of doc pages, and I can't seem to figure this out.
I would indeed expect that it would indeed not show you a 429 if you use a different name for the throttling.
You can see in the code that it uses a prefix to accomplish that: https://github.com/laravel/framework/blob/0b12ef19623c40e22eff91a4b48cb13b3b415b25/src/Illuminate/Routing/Middleware/ThrottleRequests.php#L47
What Laravel version do you use?
Currently on Laravel 5.8.38. (Haven't had time to upgrade to 6.x, let alone 7.x yet.)
I initially wrote my code using either version 5.2.x or 5.3.x, and did the upgrade steps for each release to 5.8.x.
Note that I've also got OAuth2 via Passport integrated. I followed the official Passport docs when first created. Maybe that's somehow interfering?
Now I'm starting to think I missed something crucial during one of the Laravel version upgrades...
After another weekend of no luck, I decided to create a new project from scratch using Laravel 7.
I followed all the instructions for installing the base framework, then installed Passport as prescribed. Migrations on a new database were also done. I then disabled the default throttle in Kernel.php, and dropped in the test route code. It worked perfectly. Each of the three routes obeyed their own independent throttle numbers!
So I'm not sure where things went wrong over the life of my API, but I obviously missed a step or two along the upgrade paths somewhere. I'm don't think it's worth investigating every single step now, so I will probably just copy the data from my old database to the new one and move on.
Please or to participate in this conversation.