How to use the Rate Limiting API without being a coder

Rate Limiting protects your critical resources from service degradation and inflating infrastructure costs by providing fine-grained control to block visitors with suspicious request rates.

Rate Limiting protects against denial-of-service attacks, brute-force password attempts, and other types of abusive behavior targeting the application layer.

Currently, all Cloudflare users have the ability to set these protections through the Cloudflare API.  

Using an API may sound scary, but if you don’t mind some cutting and pasting, you can try out Rate Limiting today, before the UI is released!

 Step 1: Get Postman

Postman is an application that lets you interact with any API through a simple user interface. To download Postman, go here:

Step 2: Enter your URL

Use this as your URL:[:zone_id]/rate_limits

It should look like this:

  1. Set your dropdown on the left to POST
  2. Cut and paste the URL
  3. That little thing [:zone_id] — we are going to substitute the whole thing with your zone ID

 Step 3: Enter your zone ID and where do I find it?

Your domain (e.g. has a unique Cloudflare zone ID.

Go to the Overview page in your Cloudflare dashboard and look for the word “Zone ID”.  Click to copy your unique zone ID and then paste that completely over the entire string “[:zone_id]” — including the []’s.

Step 4: In Postman, add your headers

Click on the headers tab:

Add the values as I have typed them:

X-Auth-Email enter you email associated with the Cloudflare account

X-Auth-Key enter your API key.

Accept: application/json

Content-type: application/json

You can find your API key under [your profile name] (upper right hand corner) > My Settings > Account

Enter those values.

Step 5. In Postman, now click on the body tab

  1. Click on radio button “raw
  2. Dropdown to JSON
  3. Cut and paste this exactly as you see it (we will make modifications next)
{ "match": {
             "request": {    "methods": [
                              "schemes": [
                            "url": "*"
     "threshold": 50,
     "period": 1,
     "action": {
                     "mode": "ban",
                     "timeout": 3600
  "description": "my first Cloudflare rate limiting rule"

Step 6. Modify the following key values

URL: Currently it is * which means your whole site.  If you want to specify a single URL, enter it here — as you do with page rules.

If you want to do just your home page, type is as follows:

Threshold: This is the number of requests that, if they reached your origin and matched the URL, would constitute an attack.  50 is a pretty high number when the period = 1 but adjust accordingly to the needs of your site.

Period: The number of seconds to count.  

For example, if my Threshold is 50 and I set my Period to ‘1’ second the rate limit is 50 requests per second; if I set it to ‘60’ seconds then that would be 50 requests per minute.

 Action: This is the length of time that you block an attacker.  If my timeout is 3,600 seconds, that equals an hour — 60 sec * 60 min.

Step 7. Press Send and look at the response

You should be able to press the Send button and see a response.  If the response is ‘200’ that means you have successfully created a rate limit.

The rule ID was generated in the response after you hit send with POST:

  1. When status shows 200 OK, you did it!
  2. The ID in the result (go to “Body” tab) — you need that rule to delete or change it!

To delete this rule you just created:

  1. Select DELETE in the Drop Down
  2. Change URL to:

In general, any action that can be done in the API can also be done in Postman. If you have any difficulty copying the raw API commands for use in Postman, open a Support ticket and we'll be happy to assist you.

Still not finding what you need?

The CloudFlare team is here to help. 95% of questions can be answered using the search tool, but if you can’t find what you need, submit a support request.

Powered by Zendesk