In the last video, I dug a little deeper into permissions.

Permissions determine if a request is authorized.

Throttling is similar permissions in that it controls access to an API view.

The difference is that throttling controls the rate of requests that a client

can make to an API.

For example, you might want a throttle that lets authenticated users make 500

requests per day.

But anonymous or unauthenticated users only get 100.

There are many different approaches to throttling and

it all depends on the needs of your API.

After this video check out the teacher's notes for

a link to the REST framework documentation on throttling.

It's a good idea to at least look at the different approaches so

that you can make the best decision for your project.

I'm going to enable a global throttle for my API.

I'll also set a limit for authenticated and unauthenticated requests per minute.

Let's go do it.

Okay, to set up throttling, I have to start over here in settings.py and

right down here in my REST framework dictionary again.

So we set up authentication, permissions, pagination, all that stuff, so

now let's add in throttling.

As you can probably guess we set a DEFAULT_THROTTLE_CLASS or sorry CLASSES.

And this is also a tuple and we're gonna actually put two items into this one.

So we're going to rest framework.throttling.AnonRateThrottle.

So this one applies to anonymous users.

And rest_framework.throttling.UserRateThrot-

tle.

And that applies to authenticated users.

I kind of wish that was called AuthRateThrottle or something like that.

But beggars can't be choosers.

And then we'll do DEFAULT_THROTTLE_RATES.

And this is actually pretty awesome, how this works.

So, I specify that the anon rate, which applies to this one, right?

And then I set this as five per minute.

And you can do hours, days, all kinds of stuff there.

Check the docs or the teacher's notes of course.

But it's kind of neat how you just write it like it's English.

And then so for users I'm gonna say they get to do ten per minute.

All right, so not a really heavy throttle but not a really lax one either.

These are probably a little bit,

okay, these are definitely lower than you would use in production.

But it's a lot harder for me to go,

hey I'm gonna show you 1,000 requests in a minute when I'm doing a screencast.

So you understand where I'm coming from, I understand where you're going to go,

you're going to have higher rates in the real world.

You may also have way more complicated of rates where you have to identify like

this user's a paying customer versus this one who's a free customer, and

stuff like that.

Okay, let's not worry about that, let's just make sure that the throttling works.

So let's come over here and let's go to POST,

and I wanna grab my super user.

I mean I guess it doesn't matter.

It's authenticated user.

Okay, so I've got my user here and I'm just gonna try to get courses, so send.

All right, fine, let's use the super user then.

Cool, okay, so sorry about that, it's just, it's weird.

Okay, so I'm going to, I've done one, I get to do ten per minute, right?

So I'm just gonna click this button a few times.

So, one, two, three, four, five, six, seven, eight, nine, ten, 11.

And so I got throttled, right?

I got a 429 Too Many Requests.

And my request was throttled and it will be available again in 41 seconds.

So I've gotta wait just a little bit.

So that's cool,

that's great that I get told how long I have to wait and what's going on.

One last thing about throttling.

How did REST framework know how many requests I had made within the time limit?

REST framework relies on Django's cache backend settings to handle the storage

of the information necessary to track and throttle responses.

I didn't set a cache backend in my project, though, so

Django defaults the local memory cache backend.

This backend is primarily meant for local development as it's not very efficient.

Django provides a couple of different cache backend choices, and

there are many third-party packages that will extend your options.

In a production setting, you'll probably use something like the memcached backend.

I've put a link in the teacher's notes to Django's documentation on cache backends.