# Rate Limits ## List rate limits `client.rateLimits.list(RateLimitListParamsparams, RequestOptionsoptions?): V4PagePaginationArray` **get** `/zones/{zone_id}/rate_limits` Fetches the rate limits for a zone. ### Parameters - `params: RateLimitListParams` - `zone_id: string` Path param: Defines an identifier. - `page?: number` Query param: Defines the page number of paginated results. - `per_page?: number` Query param: Defines the maximum number of results per page. You can only set the value to `1` or to a multiple of 5 such as `5`, `10`, `15`, or `20`. ### Returns - `RateLimit` - `id?: string` The unique identifier of the rate limit. - `action?: Action` The action to perform when the threshold of matched traffic within the configured period is exceeded. - `mode?: "simulate" | "ban" | "challenge" | 2 more` The action to perform. - `"simulate"` - `"ban"` - `"challenge"` - `"js_challenge"` - `"managed_challenge"` - `response?: Response` A custom content type and reponse to return when the threshold is exceeded. The custom response configured in this object will override the custom error for the zone. This object is optional. Notes: If you omit this object, Cloudflare will use the default HTML error page. If "mode" is "challenge", "managed_challenge", or "js_challenge", Cloudflare will use the zone challenge pages and you should not provide the "response" object. - `body?: string` The response body to return. The value must conform to the configured content type. - `content_type?: string` The content type of the body. Must be one of the following: `text/plain`, `text/xml`, or `application/json`. - `timeout?: number` The time in seconds during which Cloudflare will perform the mitigation action. Must be an integer value greater than or equal to the period. Notes: If "mode" is "challenge", "managed_challenge", or "js_challenge", Cloudflare will use the zone's Challenge Passage time and you should not provide this value. - `bypass?: Array` Criteria specifying when the current rate limit should be bypassed. You can specify that the rate limit should not apply to one or more URLs. - `name?: "url"` - `"url"` - `value?: string` The URL to bypass. - `description?: string` An informative summary of the rule. This value is sanitized and any tags will be removed. - `disabled?: boolean` When true, indicates that the rate limit is currently disabled. - `match?: Match` Determines which traffic the rate limit counts towards the threshold. - `headers?: Array
` - `name?: string` The name of the response header to match. - `op?: "eq" | "ne"` The operator used when matching: `eq` means "equal" and `ne` means "not equal". - `"eq"` - `"ne"` - `value?: string` The value of the response header, which must match exactly. - `request?: Request` - `methods?: Array<"GET" | "POST" | "PUT" | 4 more>` The HTTP methods to match. You can specify a subset (for example, `['POST','PUT']`) or all methods (`['_ALL_']`). This field is optional when creating a rate limit. - `"GET"` - `"POST"` - `"PUT"` - `"DELETE"` - `"PATCH"` - `"HEAD"` - `"_ALL_"` - `schemes?: Array` The HTTP schemes to match. You can specify one scheme (`['HTTPS']`), both schemes (`['HTTP','HTTPS']`), or all schemes (`['_ALL_']`). This field is optional. - `url?: string` The URL pattern to match, composed of a host and a path such as `example.org/path*`. Normalization is applied before the pattern is matched. `*` wildcards are expanded to match applicable traffic. Query strings are not matched. Set the value to `*` to match all traffic to your zone. - `response?: Response` - `origin_traffic?: boolean` When true, only the uncached traffic served from your origin servers will count towards rate limiting. In this case, any cached traffic served by Cloudflare will not count towards rate limiting. This field is optional. Notes: This field is deprecated. Instead, use response headers and set "origin_traffic" to "false" to avoid legacy behaviour interacting with the "response_headers" property. - `period?: number` The time in seconds (an integer value) to count matching traffic. If the count exceeds the configured threshold within this period, Cloudflare will perform the configured action. - `threshold?: number` The threshold that will trigger the configured mitigation action. Configure this value along with the `period` property to establish a threshold per period. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const rateLimit of client.rateLimits.list({ zone_id: '023e105f4ecef8ad9ca31a8372d0c353', })) { console.log(rateLimit.id); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "id": "372e67954025e0ba6aaa6d586b9e0b59", "action": { "mode": "challenge", "response": { "body": "This request has been rate-limited.", "content_type": "text/xml" }, "timeout": 86400 }, "bypass": [ { "name": "url", "value": "api.example.com/*" } ], "description": "Prevent multiple login failures to mitigate brute force attacks", "disabled": false, "match": { "headers": [ { "name": "Cf-Cache-Status", "op": "ne", "value": "HIT" } ], "request": { "methods": [ "GET", "POST" ], "schemes": [ "HTTP", "HTTPS" ], "url": "*.example.org/path*" }, "response": { "origin_traffic": true } }, "period": 900, "threshold": 60 } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get a rate limit `client.rateLimits.get(stringrateLimitId, RateLimitGetParamsparams, RequestOptionsoptions?): RateLimit` **get** `/zones/{zone_id}/rate_limits/{rate_limit_id}` Fetches the details of a rate limit. ### Parameters - `rateLimitId: string` Defines the unique identifier of the rate limit. - `params: RateLimitGetParams` - `zone_id: string` Defines an identifier. ### Returns - `RateLimit` - `id?: string` The unique identifier of the rate limit. - `action?: Action` The action to perform when the threshold of matched traffic within the configured period is exceeded. - `mode?: "simulate" | "ban" | "challenge" | 2 more` The action to perform. - `"simulate"` - `"ban"` - `"challenge"` - `"js_challenge"` - `"managed_challenge"` - `response?: Response` A custom content type and reponse to return when the threshold is exceeded. The custom response configured in this object will override the custom error for the zone. This object is optional. Notes: If you omit this object, Cloudflare will use the default HTML error page. If "mode" is "challenge", "managed_challenge", or "js_challenge", Cloudflare will use the zone challenge pages and you should not provide the "response" object. - `body?: string` The response body to return. The value must conform to the configured content type. - `content_type?: string` The content type of the body. Must be one of the following: `text/plain`, `text/xml`, or `application/json`. - `timeout?: number` The time in seconds during which Cloudflare will perform the mitigation action. Must be an integer value greater than or equal to the period. Notes: If "mode" is "challenge", "managed_challenge", or "js_challenge", Cloudflare will use the zone's Challenge Passage time and you should not provide this value. - `bypass?: Array` Criteria specifying when the current rate limit should be bypassed. You can specify that the rate limit should not apply to one or more URLs. - `name?: "url"` - `"url"` - `value?: string` The URL to bypass. - `description?: string` An informative summary of the rule. This value is sanitized and any tags will be removed. - `disabled?: boolean` When true, indicates that the rate limit is currently disabled. - `match?: Match` Determines which traffic the rate limit counts towards the threshold. - `headers?: Array
` - `name?: string` The name of the response header to match. - `op?: "eq" | "ne"` The operator used when matching: `eq` means "equal" and `ne` means "not equal". - `"eq"` - `"ne"` - `value?: string` The value of the response header, which must match exactly. - `request?: Request` - `methods?: Array<"GET" | "POST" | "PUT" | 4 more>` The HTTP methods to match. You can specify a subset (for example, `['POST','PUT']`) or all methods (`['_ALL_']`). This field is optional when creating a rate limit. - `"GET"` - `"POST"` - `"PUT"` - `"DELETE"` - `"PATCH"` - `"HEAD"` - `"_ALL_"` - `schemes?: Array` The HTTP schemes to match. You can specify one scheme (`['HTTPS']`), both schemes (`['HTTP','HTTPS']`), or all schemes (`['_ALL_']`). This field is optional. - `url?: string` The URL pattern to match, composed of a host and a path such as `example.org/path*`. Normalization is applied before the pattern is matched. `*` wildcards are expanded to match applicable traffic. Query strings are not matched. Set the value to `*` to match all traffic to your zone. - `response?: Response` - `origin_traffic?: boolean` When true, only the uncached traffic served from your origin servers will count towards rate limiting. In this case, any cached traffic served by Cloudflare will not count towards rate limiting. This field is optional. Notes: This field is deprecated. Instead, use response headers and set "origin_traffic" to "false" to avoid legacy behaviour interacting with the "response_headers" property. - `period?: number` The time in seconds (an integer value) to count matching traffic. If the count exceeds the configured threshold within this period, Cloudflare will perform the configured action. - `threshold?: number` The threshold that will trigger the configured mitigation action. Configure this value along with the `period` property to establish a threshold per period. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const rateLimit = await client.rateLimits.get('372e67954025e0ba6aaa6d586b9e0b59', { zone_id: '023e105f4ecef8ad9ca31a8372d0c353', }); console.log(rateLimit.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "372e67954025e0ba6aaa6d586b9e0b59", "action": { "mode": "challenge", "response": { "body": "This request has been rate-limited.", "content_type": "text/xml" }, "timeout": 86400 }, "bypass": [ { "name": "url", "value": "api.example.com/*" } ], "description": "Prevent multiple login failures to mitigate brute force attacks", "disabled": false, "match": { "headers": [ { "name": "Cf-Cache-Status", "op": "ne", "value": "HIT" } ], "request": { "methods": [ "GET", "POST" ], "schemes": [ "HTTP", "HTTPS" ], "url": "*.example.org/path*" }, "response": { "origin_traffic": true } }, "period": 900, "threshold": 60 }, "success": true } ``` ## Create a rate limit `client.rateLimits.create(RateLimitCreateParamsparams, RequestOptionsoptions?): RateLimit` **post** `/zones/{zone_id}/rate_limits` Creates a new rate limit for a zone. Refer to the object definition for a list of required attributes. ### Parameters - `params: RateLimitCreateParams` - `zone_id: string` Path param: Defines an identifier. - `action: Action` Body param: The action to perform when the threshold of matched traffic within the configured period is exceeded. - `mode?: "simulate" | "ban" | "challenge" | 2 more` The action to perform. - `"simulate"` - `"ban"` - `"challenge"` - `"js_challenge"` - `"managed_challenge"` - `response?: Response` A custom content type and reponse to return when the threshold is exceeded. The custom response configured in this object will override the custom error for the zone. This object is optional. Notes: If you omit this object, Cloudflare will use the default HTML error page. If "mode" is "challenge", "managed_challenge", or "js_challenge", Cloudflare will use the zone challenge pages and you should not provide the "response" object. - `body?: string` The response body to return. The value must conform to the configured content type. - `content_type?: string` The content type of the body. Must be one of the following: `text/plain`, `text/xml`, or `application/json`. - `timeout?: number` The time in seconds during which Cloudflare will perform the mitigation action. Must be an integer value greater than or equal to the period. Notes: If "mode" is "challenge", "managed_challenge", or "js_challenge", Cloudflare will use the zone's Challenge Passage time and you should not provide this value. - `match: Match` Body param: Determines which traffic the rate limit counts towards the threshold. - `headers?: Array
` - `name?: string` The name of the response header to match. - `op?: "eq" | "ne"` The operator used when matching: `eq` means "equal" and `ne` means "not equal". - `"eq"` - `"ne"` - `value?: string` The value of the response header, which must match exactly. - `request?: Request` - `methods?: Array<"GET" | "POST" | "PUT" | 4 more>` The HTTP methods to match. You can specify a subset (for example, `['POST','PUT']`) or all methods (`['_ALL_']`). This field is optional when creating a rate limit. - `"GET"` - `"POST"` - `"PUT"` - `"DELETE"` - `"PATCH"` - `"HEAD"` - `"_ALL_"` - `schemes?: Array` The HTTP schemes to match. You can specify one scheme (`['HTTPS']`), both schemes (`['HTTP','HTTPS']`), or all schemes (`['_ALL_']`). This field is optional. - `url?: string` The URL pattern to match, composed of a host and a path such as `example.org/path*`. Normalization is applied before the pattern is matched. `*` wildcards are expanded to match applicable traffic. Query strings are not matched. Set the value to `*` to match all traffic to your zone. - `response?: Response` - `origin_traffic?: boolean` When true, only the uncached traffic served from your origin servers will count towards rate limiting. In this case, any cached traffic served by Cloudflare will not count towards rate limiting. This field is optional. Notes: This field is deprecated. Instead, use response headers and set "origin_traffic" to "false" to avoid legacy behaviour interacting with the "response_headers" property. - `period: number` Body param: The time in seconds (an integer value) to count matching traffic. If the count exceeds the configured threshold within this period, Cloudflare will perform the configured action. - `threshold: number` Body param: The threshold that will trigger the configured mitigation action. Configure this value along with the `period` property to establish a threshold per period. ### Returns - `RateLimit` - `id?: string` The unique identifier of the rate limit. - `action?: Action` The action to perform when the threshold of matched traffic within the configured period is exceeded. - `mode?: "simulate" | "ban" | "challenge" | 2 more` The action to perform. - `"simulate"` - `"ban"` - `"challenge"` - `"js_challenge"` - `"managed_challenge"` - `response?: Response` A custom content type and reponse to return when the threshold is exceeded. The custom response configured in this object will override the custom error for the zone. This object is optional. Notes: If you omit this object, Cloudflare will use the default HTML error page. If "mode" is "challenge", "managed_challenge", or "js_challenge", Cloudflare will use the zone challenge pages and you should not provide the "response" object. - `body?: string` The response body to return. The value must conform to the configured content type. - `content_type?: string` The content type of the body. Must be one of the following: `text/plain`, `text/xml`, or `application/json`. - `timeout?: number` The time in seconds during which Cloudflare will perform the mitigation action. Must be an integer value greater than or equal to the period. Notes: If "mode" is "challenge", "managed_challenge", or "js_challenge", Cloudflare will use the zone's Challenge Passage time and you should not provide this value. - `bypass?: Array` Criteria specifying when the current rate limit should be bypassed. You can specify that the rate limit should not apply to one or more URLs. - `name?: "url"` - `"url"` - `value?: string` The URL to bypass. - `description?: string` An informative summary of the rule. This value is sanitized and any tags will be removed. - `disabled?: boolean` When true, indicates that the rate limit is currently disabled. - `match?: Match` Determines which traffic the rate limit counts towards the threshold. - `headers?: Array
` - `name?: string` The name of the response header to match. - `op?: "eq" | "ne"` The operator used when matching: `eq` means "equal" and `ne` means "not equal". - `"eq"` - `"ne"` - `value?: string` The value of the response header, which must match exactly. - `request?: Request` - `methods?: Array<"GET" | "POST" | "PUT" | 4 more>` The HTTP methods to match. You can specify a subset (for example, `['POST','PUT']`) or all methods (`['_ALL_']`). This field is optional when creating a rate limit. - `"GET"` - `"POST"` - `"PUT"` - `"DELETE"` - `"PATCH"` - `"HEAD"` - `"_ALL_"` - `schemes?: Array` The HTTP schemes to match. You can specify one scheme (`['HTTPS']`), both schemes (`['HTTP','HTTPS']`), or all schemes (`['_ALL_']`). This field is optional. - `url?: string` The URL pattern to match, composed of a host and a path such as `example.org/path*`. Normalization is applied before the pattern is matched. `*` wildcards are expanded to match applicable traffic. Query strings are not matched. Set the value to `*` to match all traffic to your zone. - `response?: Response` - `origin_traffic?: boolean` When true, only the uncached traffic served from your origin servers will count towards rate limiting. In this case, any cached traffic served by Cloudflare will not count towards rate limiting. This field is optional. Notes: This field is deprecated. Instead, use response headers and set "origin_traffic" to "false" to avoid legacy behaviour interacting with the "response_headers" property. - `period?: number` The time in seconds (an integer value) to count matching traffic. If the count exceeds the configured threshold within this period, Cloudflare will perform the configured action. - `threshold?: number` The threshold that will trigger the configured mitigation action. Configure this value along with the `period` property to establish a threshold per period. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const rateLimit = await client.rateLimits.create({ zone_id: '023e105f4ecef8ad9ca31a8372d0c353', action: {}, match: {}, period: 900, threshold: 60, }); console.log(rateLimit.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "372e67954025e0ba6aaa6d586b9e0b59", "action": { "mode": "challenge", "response": { "body": "This request has been rate-limited.", "content_type": "text/xml" }, "timeout": 86400 }, "bypass": [ { "name": "url", "value": "api.example.com/*" } ], "description": "Prevent multiple login failures to mitigate brute force attacks", "disabled": false, "match": { "headers": [ { "name": "Cf-Cache-Status", "op": "ne", "value": "HIT" } ], "request": { "methods": [ "GET", "POST" ], "schemes": [ "HTTP", "HTTPS" ], "url": "*.example.org/path*" }, "response": { "origin_traffic": true } }, "period": 900, "threshold": 60 }, "success": true } ``` ## Update a rate limit `client.rateLimits.edit(stringrateLimitId, RateLimitEditParamsparams, RequestOptionsoptions?): RateLimit` **put** `/zones/{zone_id}/rate_limits/{rate_limit_id}` Updates an existing rate limit. ### Parameters - `rateLimitId: string` Defines the unique identifier of the rate limit. - `params: RateLimitEditParams` - `zone_id: string` Path param: Defines an identifier. - `action: Action` Body param: The action to perform when the threshold of matched traffic within the configured period is exceeded. - `mode?: "simulate" | "ban" | "challenge" | 2 more` The action to perform. - `"simulate"` - `"ban"` - `"challenge"` - `"js_challenge"` - `"managed_challenge"` - `response?: Response` A custom content type and reponse to return when the threshold is exceeded. The custom response configured in this object will override the custom error for the zone. This object is optional. Notes: If you omit this object, Cloudflare will use the default HTML error page. If "mode" is "challenge", "managed_challenge", or "js_challenge", Cloudflare will use the zone challenge pages and you should not provide the "response" object. - `body?: string` The response body to return. The value must conform to the configured content type. - `content_type?: string` The content type of the body. Must be one of the following: `text/plain`, `text/xml`, or `application/json`. - `timeout?: number` The time in seconds during which Cloudflare will perform the mitigation action. Must be an integer value greater than or equal to the period. Notes: If "mode" is "challenge", "managed_challenge", or "js_challenge", Cloudflare will use the zone's Challenge Passage time and you should not provide this value. - `match: Match` Body param: Determines which traffic the rate limit counts towards the threshold. - `headers?: Array
` - `name?: string` The name of the response header to match. - `op?: "eq" | "ne"` The operator used when matching: `eq` means "equal" and `ne` means "not equal". - `"eq"` - `"ne"` - `value?: string` The value of the response header, which must match exactly. - `request?: Request` - `methods?: Array<"GET" | "POST" | "PUT" | 4 more>` The HTTP methods to match. You can specify a subset (for example, `['POST','PUT']`) or all methods (`['_ALL_']`). This field is optional when creating a rate limit. - `"GET"` - `"POST"` - `"PUT"` - `"DELETE"` - `"PATCH"` - `"HEAD"` - `"_ALL_"` - `schemes?: Array` The HTTP schemes to match. You can specify one scheme (`['HTTPS']`), both schemes (`['HTTP','HTTPS']`), or all schemes (`['_ALL_']`). This field is optional. - `url?: string` The URL pattern to match, composed of a host and a path such as `example.org/path*`. Normalization is applied before the pattern is matched. `*` wildcards are expanded to match applicable traffic. Query strings are not matched. Set the value to `*` to match all traffic to your zone. - `response?: Response` - `origin_traffic?: boolean` When true, only the uncached traffic served from your origin servers will count towards rate limiting. In this case, any cached traffic served by Cloudflare will not count towards rate limiting. This field is optional. Notes: This field is deprecated. Instead, use response headers and set "origin_traffic" to "false" to avoid legacy behaviour interacting with the "response_headers" property. - `period: number` Body param: The time in seconds (an integer value) to count matching traffic. If the count exceeds the configured threshold within this period, Cloudflare will perform the configured action. - `threshold: number` Body param: The threshold that will trigger the configured mitigation action. Configure this value along with the `period` property to establish a threshold per period. ### Returns - `RateLimit` - `id?: string` The unique identifier of the rate limit. - `action?: Action` The action to perform when the threshold of matched traffic within the configured period is exceeded. - `mode?: "simulate" | "ban" | "challenge" | 2 more` The action to perform. - `"simulate"` - `"ban"` - `"challenge"` - `"js_challenge"` - `"managed_challenge"` - `response?: Response` A custom content type and reponse to return when the threshold is exceeded. The custom response configured in this object will override the custom error for the zone. This object is optional. Notes: If you omit this object, Cloudflare will use the default HTML error page. If "mode" is "challenge", "managed_challenge", or "js_challenge", Cloudflare will use the zone challenge pages and you should not provide the "response" object. - `body?: string` The response body to return. The value must conform to the configured content type. - `content_type?: string` The content type of the body. Must be one of the following: `text/plain`, `text/xml`, or `application/json`. - `timeout?: number` The time in seconds during which Cloudflare will perform the mitigation action. Must be an integer value greater than or equal to the period. Notes: If "mode" is "challenge", "managed_challenge", or "js_challenge", Cloudflare will use the zone's Challenge Passage time and you should not provide this value. - `bypass?: Array` Criteria specifying when the current rate limit should be bypassed. You can specify that the rate limit should not apply to one or more URLs. - `name?: "url"` - `"url"` - `value?: string` The URL to bypass. - `description?: string` An informative summary of the rule. This value is sanitized and any tags will be removed. - `disabled?: boolean` When true, indicates that the rate limit is currently disabled. - `match?: Match` Determines which traffic the rate limit counts towards the threshold. - `headers?: Array
` - `name?: string` The name of the response header to match. - `op?: "eq" | "ne"` The operator used when matching: `eq` means "equal" and `ne` means "not equal". - `"eq"` - `"ne"` - `value?: string` The value of the response header, which must match exactly. - `request?: Request` - `methods?: Array<"GET" | "POST" | "PUT" | 4 more>` The HTTP methods to match. You can specify a subset (for example, `['POST','PUT']`) or all methods (`['_ALL_']`). This field is optional when creating a rate limit. - `"GET"` - `"POST"` - `"PUT"` - `"DELETE"` - `"PATCH"` - `"HEAD"` - `"_ALL_"` - `schemes?: Array` The HTTP schemes to match. You can specify one scheme (`['HTTPS']`), both schemes (`['HTTP','HTTPS']`), or all schemes (`['_ALL_']`). This field is optional. - `url?: string` The URL pattern to match, composed of a host and a path such as `example.org/path*`. Normalization is applied before the pattern is matched. `*` wildcards are expanded to match applicable traffic. Query strings are not matched. Set the value to `*` to match all traffic to your zone. - `response?: Response` - `origin_traffic?: boolean` When true, only the uncached traffic served from your origin servers will count towards rate limiting. In this case, any cached traffic served by Cloudflare will not count towards rate limiting. This field is optional. Notes: This field is deprecated. Instead, use response headers and set "origin_traffic" to "false" to avoid legacy behaviour interacting with the "response_headers" property. - `period?: number` The time in seconds (an integer value) to count matching traffic. If the count exceeds the configured threshold within this period, Cloudflare will perform the configured action. - `threshold?: number` The threshold that will trigger the configured mitigation action. Configure this value along with the `period` property to establish a threshold per period. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const rateLimit = await client.rateLimits.edit('372e67954025e0ba6aaa6d586b9e0b59', { zone_id: '023e105f4ecef8ad9ca31a8372d0c353', action: {}, match: {}, period: 900, threshold: 60, }); console.log(rateLimit.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "372e67954025e0ba6aaa6d586b9e0b59", "action": { "mode": "challenge", "response": { "body": "This request has been rate-limited.", "content_type": "text/xml" }, "timeout": 86400 }, "bypass": [ { "name": "url", "value": "api.example.com/*" } ], "description": "Prevent multiple login failures to mitigate brute force attacks", "disabled": false, "match": { "headers": [ { "name": "Cf-Cache-Status", "op": "ne", "value": "HIT" } ], "request": { "methods": [ "GET", "POST" ], "schemes": [ "HTTP", "HTTPS" ], "url": "*.example.org/path*" }, "response": { "origin_traffic": true } }, "period": 900, "threshold": 60 }, "success": true } ``` ## Delete a rate limit `client.rateLimits.delete(stringrateLimitId, RateLimitDeleteParamsparams, RequestOptionsoptions?): RateLimitDeleteResponse` **delete** `/zones/{zone_id}/rate_limits/{rate_limit_id}` Deletes an existing rate limit. ### Parameters - `rateLimitId: string` Defines the unique identifier of the rate limit. - `params: RateLimitDeleteParams` - `zone_id: string` Defines an identifier. ### Returns - `RateLimitDeleteResponse` - `id?: string` The unique identifier of the rate limit. - `action?: Action` The action to perform when the threshold of matched traffic within the configured period is exceeded. - `mode?: "simulate" | "ban" | "challenge" | 2 more` The action to perform. - `"simulate"` - `"ban"` - `"challenge"` - `"js_challenge"` - `"managed_challenge"` - `response?: Response` A custom content type and reponse to return when the threshold is exceeded. The custom response configured in this object will override the custom error for the zone. This object is optional. Notes: If you omit this object, Cloudflare will use the default HTML error page. If "mode" is "challenge", "managed_challenge", or "js_challenge", Cloudflare will use the zone challenge pages and you should not provide the "response" object. - `body?: string` The response body to return. The value must conform to the configured content type. - `content_type?: string` The content type of the body. Must be one of the following: `text/plain`, `text/xml`, or `application/json`. - `timeout?: number` The time in seconds during which Cloudflare will perform the mitigation action. Must be an integer value greater than or equal to the period. Notes: If "mode" is "challenge", "managed_challenge", or "js_challenge", Cloudflare will use the zone's Challenge Passage time and you should not provide this value. - `bypass?: Array` Criteria specifying when the current rate limit should be bypassed. You can specify that the rate limit should not apply to one or more URLs. - `name?: "url"` - `"url"` - `value?: string` The URL to bypass. - `description?: string` An informative summary of the rule. This value is sanitized and any tags will be removed. - `disabled?: boolean` When true, indicates that the rate limit is currently disabled. - `match?: Match` Determines which traffic the rate limit counts towards the threshold. - `headers?: Array
` - `name?: string` The name of the response header to match. - `op?: "eq" | "ne"` The operator used when matching: `eq` means "equal" and `ne` means "not equal". - `"eq"` - `"ne"` - `value?: string` The value of the response header, which must match exactly. - `request?: Request` - `methods?: Array<"GET" | "POST" | "PUT" | 4 more>` The HTTP methods to match. You can specify a subset (for example, `['POST','PUT']`) or all methods (`['_ALL_']`). This field is optional when creating a rate limit. - `"GET"` - `"POST"` - `"PUT"` - `"DELETE"` - `"PATCH"` - `"HEAD"` - `"_ALL_"` - `schemes?: Array` The HTTP schemes to match. You can specify one scheme (`['HTTPS']`), both schemes (`['HTTP','HTTPS']`), or all schemes (`['_ALL_']`). This field is optional. - `url?: string` The URL pattern to match, composed of a host and a path such as `example.org/path*`. Normalization is applied before the pattern is matched. `*` wildcards are expanded to match applicable traffic. Query strings are not matched. Set the value to `*` to match all traffic to your zone. - `response?: Response` - `origin_traffic?: boolean` When true, only the uncached traffic served from your origin servers will count towards rate limiting. In this case, any cached traffic served by Cloudflare will not count towards rate limiting. This field is optional. Notes: This field is deprecated. Instead, use response headers and set "origin_traffic" to "false" to avoid legacy behaviour interacting with the "response_headers" property. - `period?: number` The time in seconds (an integer value) to count matching traffic. If the count exceeds the configured threshold within this period, Cloudflare will perform the configured action. - `threshold?: number` The threshold that will trigger the configured mitigation action. Configure this value along with the `period` property to establish a threshold per period. ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const rateLimit = await client.rateLimits.delete('372e67954025e0ba6aaa6d586b9e0b59', { zone_id: '023e105f4ecef8ad9ca31a8372d0c353', }); console.log(rateLimit.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "372e67954025e0ba6aaa6d586b9e0b59", "action": { "mode": "challenge", "response": { "body": "This request has been rate-limited.", "content_type": "text/xml" }, "timeout": 86400 }, "bypass": [ { "name": "url", "value": "api.example.com/*" } ], "description": "Prevent multiple login failures to mitigate brute force attacks", "disabled": false, "match": { "headers": [ { "name": "Cf-Cache-Status", "op": "ne", "value": "HIT" } ], "request": { "methods": [ "GET", "POST" ], "schemes": [ "HTTP", "HTTPS" ], "url": "*.example.org/path*" }, "response": { "origin_traffic": true } }, "period": 900, "threshold": 60 }, "success": true } ``` ## Domain Types ### Action - `Action = "block" | "challenge" | "js_challenge" | 4 more` The action to apply to a matched request. The `log` action is only available on an Enterprise plan. - `"block"` - `"challenge"` - `"js_challenge"` - `"managed_challenge"` - `"allow"` - `"log"` - `"bypass"` ### Rate Limit - `RateLimit` - `id?: string` The unique identifier of the rate limit. - `action?: Action` The action to perform when the threshold of matched traffic within the configured period is exceeded. - `mode?: "simulate" | "ban" | "challenge" | 2 more` The action to perform. - `"simulate"` - `"ban"` - `"challenge"` - `"js_challenge"` - `"managed_challenge"` - `response?: Response` A custom content type and reponse to return when the threshold is exceeded. The custom response configured in this object will override the custom error for the zone. This object is optional. Notes: If you omit this object, Cloudflare will use the default HTML error page. If "mode" is "challenge", "managed_challenge", or "js_challenge", Cloudflare will use the zone challenge pages and you should not provide the "response" object. - `body?: string` The response body to return. The value must conform to the configured content type. - `content_type?: string` The content type of the body. Must be one of the following: `text/plain`, `text/xml`, or `application/json`. - `timeout?: number` The time in seconds during which Cloudflare will perform the mitigation action. Must be an integer value greater than or equal to the period. Notes: If "mode" is "challenge", "managed_challenge", or "js_challenge", Cloudflare will use the zone's Challenge Passage time and you should not provide this value. - `bypass?: Array` Criteria specifying when the current rate limit should be bypassed. You can specify that the rate limit should not apply to one or more URLs. - `name?: "url"` - `"url"` - `value?: string` The URL to bypass. - `description?: string` An informative summary of the rule. This value is sanitized and any tags will be removed. - `disabled?: boolean` When true, indicates that the rate limit is currently disabled. - `match?: Match` Determines which traffic the rate limit counts towards the threshold. - `headers?: Array
` - `name?: string` The name of the response header to match. - `op?: "eq" | "ne"` The operator used when matching: `eq` means "equal" and `ne` means "not equal". - `"eq"` - `"ne"` - `value?: string` The value of the response header, which must match exactly. - `request?: Request` - `methods?: Array<"GET" | "POST" | "PUT" | 4 more>` The HTTP methods to match. You can specify a subset (for example, `['POST','PUT']`) or all methods (`['_ALL_']`). This field is optional when creating a rate limit. - `"GET"` - `"POST"` - `"PUT"` - `"DELETE"` - `"PATCH"` - `"HEAD"` - `"_ALL_"` - `schemes?: Array` The HTTP schemes to match. You can specify one scheme (`['HTTPS']`), both schemes (`['HTTP','HTTPS']`), or all schemes (`['_ALL_']`). This field is optional. - `url?: string` The URL pattern to match, composed of a host and a path such as `example.org/path*`. Normalization is applied before the pattern is matched. `*` wildcards are expanded to match applicable traffic. Query strings are not matched. Set the value to `*` to match all traffic to your zone. - `response?: Response` - `origin_traffic?: boolean` When true, only the uncached traffic served from your origin servers will count towards rate limiting. In this case, any cached traffic served by Cloudflare will not count towards rate limiting. This field is optional. Notes: This field is deprecated. Instead, use response headers and set "origin_traffic" to "false" to avoid legacy behaviour interacting with the "response_headers" property. - `period?: number` The time in seconds (an integer value) to count matching traffic. If the count exceeds the configured threshold within this period, Cloudflare will perform the configured action. - `threshold?: number` The threshold that will trigger the configured mitigation action. Configure this value along with the `period` property to establish a threshold per period. ### Rate Limit Delete Response - `RateLimitDeleteResponse` - `id?: string` The unique identifier of the rate limit. - `action?: Action` The action to perform when the threshold of matched traffic within the configured period is exceeded. - `mode?: "simulate" | "ban" | "challenge" | 2 more` The action to perform. - `"simulate"` - `"ban"` - `"challenge"` - `"js_challenge"` - `"managed_challenge"` - `response?: Response` A custom content type and reponse to return when the threshold is exceeded. The custom response configured in this object will override the custom error for the zone. This object is optional. Notes: If you omit this object, Cloudflare will use the default HTML error page. If "mode" is "challenge", "managed_challenge", or "js_challenge", Cloudflare will use the zone challenge pages and you should not provide the "response" object. - `body?: string` The response body to return. The value must conform to the configured content type. - `content_type?: string` The content type of the body. Must be one of the following: `text/plain`, `text/xml`, or `application/json`. - `timeout?: number` The time in seconds during which Cloudflare will perform the mitigation action. Must be an integer value greater than or equal to the period. Notes: If "mode" is "challenge", "managed_challenge", or "js_challenge", Cloudflare will use the zone's Challenge Passage time and you should not provide this value. - `bypass?: Array` Criteria specifying when the current rate limit should be bypassed. You can specify that the rate limit should not apply to one or more URLs. - `name?: "url"` - `"url"` - `value?: string` The URL to bypass. - `description?: string` An informative summary of the rule. This value is sanitized and any tags will be removed. - `disabled?: boolean` When true, indicates that the rate limit is currently disabled. - `match?: Match` Determines which traffic the rate limit counts towards the threshold. - `headers?: Array
` - `name?: string` The name of the response header to match. - `op?: "eq" | "ne"` The operator used when matching: `eq` means "equal" and `ne` means "not equal". - `"eq"` - `"ne"` - `value?: string` The value of the response header, which must match exactly. - `request?: Request` - `methods?: Array<"GET" | "POST" | "PUT" | 4 more>` The HTTP methods to match. You can specify a subset (for example, `['POST','PUT']`) or all methods (`['_ALL_']`). This field is optional when creating a rate limit. - `"GET"` - `"POST"` - `"PUT"` - `"DELETE"` - `"PATCH"` - `"HEAD"` - `"_ALL_"` - `schemes?: Array` The HTTP schemes to match. You can specify one scheme (`['HTTPS']`), both schemes (`['HTTP','HTTPS']`), or all schemes (`['_ALL_']`). This field is optional. - `url?: string` The URL pattern to match, composed of a host and a path such as `example.org/path*`. Normalization is applied before the pattern is matched. `*` wildcards are expanded to match applicable traffic. Query strings are not matched. Set the value to `*` to match all traffic to your zone. - `response?: Response` - `origin_traffic?: boolean` When true, only the uncached traffic served from your origin servers will count towards rate limiting. In this case, any cached traffic served by Cloudflare will not count towards rate limiting. This field is optional. Notes: This field is deprecated. Instead, use response headers and set "origin_traffic" to "false" to avoid legacy behaviour interacting with the "response_headers" property. - `period?: number` The time in seconds (an integer value) to count matching traffic. If the count exceeds the configured threshold within this period, Cloudflare will perform the configured action. - `threshold?: number` The threshold that will trigger the configured mitigation action. Configure this value along with the `period` property to establish a threshold per period.