In Chapter 17, Securing the API with Authentication and Permissions, we made sure that some requests were authenticated before processing them. We took advantage of many authentication schemes to identify the user that originated the request. Throttling rules also determine whether the request must be authorized or not. We will work with them in combination with authentication.

So far, we haven't established any limits on the usage of our RESTful Web Service. As a result of this configuration, both unauthenticated and authenticated users can compose and send as many requests as they want to. The only thing we have limited is the resultset size throughout the configuration of the pagination features available in the Django REST framework. Hence, large results sets are split into individual pages of data. However, a user might compose and send thousands of requests to be processed with any kind of limitation. Of course, the servers or virtual machines that run our RESTful Web Services or the underlying database can be overloaded by the huge amount of requests because we don't have limits.

Throttles control the rate of requests that users can make to our RESTful Web Service. The Django REST framework makes it easy to configure throttling rules. We will use throttling rules to configure the following limitations to the usage of our RESTful Web Service:

• A maximum of 3 requests per hour for unauthenticated users
• A maximum of 10 requests per hour for authenticated users
• A maximum of 20 requests per hour for the drones related views
• A maximum of 15 requests per hour for the pilots related views