I'm trying to set up rate limits in my API proxy in the following way:
It seems that you can achieve this by setting a defining a general rate limit on an API Product, and then defining another rate limit on specific Operations under that API Product, as shown on the screenshot below:
But that doesn't work. When my Quota policy gets invoked, the apiproduct.developer.quota.* flow variables end up being set to the general rate limit. This is what I see in the debugger when making a request to /sensitive:
I think the problem is in how Operation precedence works in API Products, as documented here:
More inclusive, less specific resource paths take predence over those that are more specific. For example, if you add / and /**, the / resource path takes precedence and the /** resource path is ignored.
I defined a catch-all / operation on the API Product, and it takes precedence over a more specific /sensitive operation.
I don’t want to explicitly define every possible resource path in my API Product, is there a different approach you’d recommend?