We are CORS enabled
Cross-origin resource sharing (CORS) is a standard for accessing web resources on different domains. CORS allow web scripts to interact more openly with content outside of the original domain, leading to better integration between web services.
In cases where cross-domain scripting is desired, CORS allows web developers to work around the same-origin policy. CORS adds HTTP headers which instruct web browsers on how to use and manage cross-domain content. The browser then allows or denies access to the content based on its security configuration.
PeopleStrong APIs belong to the Representational State Transfer (REST) category. They allow you to perform 'RESTful' operations such as reading, modifying, adding the data along with the Cross-Origin Resource Sharing (CORS) support.
Throttle API requests for better throughput
To prevent your APIs from being overwhelmed by too many requests, PeopleStrong API Gateway throttles requests to your API using different algorithm like token based, consumer based, or IP based. Specifically, API gateway sets a limit on a steady-state rate and a burst of request submissions against all APIs in your account.
When request submissions exceed the steady-state request rate and burst limits, API gateway fails the limit-exceeding requests and returns ‘429 Too Many Requests’ error responses to the client. Upon catching such exceptions, the client can resubmit the failed requests in a rate-limiting fashion, while complying with the API gateway throttling limits.
As an API developer, you can set the limits for individual API stages or methods to improve overall performance across all APIs in your account. Alternatively, you can enable usage plans to restrict client request submissions to within specified request rates and quotas. This restricts the overall request submissions so that they don't go significantly past the account-level throttling limits.
PeopleStrong API gateway usage plans now allow you to throttle requests for individual methods at different rates by configuring method level throttling.
Usage plans allow you to grant customers access to selected APIs at specific request rates and quotas. With method level throttling now included in usage plans, you can configure throttling (rate and burst limits) on individual client API keys for different API methods. This enables you to set more granular access controls to an API based on its use case.
This is the client specific identification which gets generated at PeopleStrong API gateway and shared with the client to access the API. The key is validated at the API gateway and once validated the further resources can be accessed (provided the authorization is validated too). This API key is mandatory as Header parameter to be sent in the API calls.
For authorization the JWT token gets generated by PeopleStrong central identity provider. Any source which needed to access the API are required to get the token from the PeopleStrong Auth Server and pass this token in subsequent APIs along with API key to access the resources.