Volumetric Abuse Detection
Cloudflare Volumetric Abuse Detection helps you set up a system of adaptive rate limiting.
Cloudflare looks for endpoint abuse based on user traffic to individual endpoints.
For example, your API might see different levels of traffic to a /reset-password endpoint than a /login endpoint. Additionally, your /login endpoint might see higher than average traffic after a successful marketing campaign.
These two scenarios speak to the limitations of traditional rate limiting. Not only does traffic vary between endpoints, but it also can vary over time for the same endpoint. Volumetric Abuse Detection solves these problems with unsupervised learning to develop separate baselines for each API and better adjust to changes in user behavior.
Volumetric Abuse Detection rate limits are generated on a per-session basis. Unlike traditional rate limits, which are based on IP addresses, Volumetric Abuse Detection rate limits are not as susceptible to false positives when traffic to your API increases.
Volumetric Abuse Detection rate limits are a way to prevent blatant volumetric abuse while minimizing false positives. If you are trying to prevent abusive bot traffic altogether, refer to Cloudflare’s Bot solutions.
Volumetric Abuse Detection analyzes your API's individual session traffic statistics to recommend per-endpoint, per-session rate limits.
To access your endpoints:
Old dashboard: Security > API Shield > Endpoint Management
New dashboard: Security > Web Assets > Endpoints
Recommendations will continue to update if your traffic pattern changes.
Volumetric Abuse Detection generates rate limit thresholds only after collecting sufficient, statistically safe traffic data for an endpoint. If recommendations are missing for a discovered endpoint, the traffic likely failed to meet the necessary criteria.
Thresholds are suggested only for endpoints that satisfy all of the following requirements within the last seven days (or since initial discovery):
- The endpoint must receive sufficient valid traffic (traffic that meets the API Discovery criteria). Intermittent or erratic traffic may prevent suggestions.
- The endpoint must be accessed by at least 50 distinct sessions in any 24-hour period during the last seven days.
- Session identifiers, such as an authorization token available as a request header or cookie, must be configured to allow Cloudflare to accurately detect individual sessions and perform the required per-session rate analysis.
After adding a session identifier, allow 24 hours for rate limit recommendations to appear on endpoints in the Cloudflare dashboard.
Once rate limit recommendations appear in Endpoints, select the endpoint row to view more detail about the recommendation. You will see the overall recommended rate limit value, as well as p99, p90, and p50 rate limit values.
We calculate the recommended rate limit value throughout the day, and the new calculation may equal the existing recommendation due to similar traffic profiles existing on your API. When we recalculate, we look at requests that happened in the last 24 hours.
Cloudflare recommends choosing the overall rate limit recommendation, as our analysis includes the variance of the request rate distribution across your API sessions. Choosing a single p-value may cause false positives due to a high number of outliers.
In Endpoints, you can review our confidence in the recommendation and how many unique sessions we have seen over the last seven (7) days. In general, endpoints with fewer unique sessions and high variability of user behavior will have lower confidence scores.
Implementing low confidence rate limits can still be helpful to prevent API abuse. If you are hesitant due to the recommendation’s confidence, we suggest starting your rate limit rule in log mode and observing violations of the rule for false positives.
Refer to the Rules documentation ↗ for more information on how to create an Advanced Rate Limiting rule.
Rate limit recommendations are available via the API if you would like to dynamically update rate limits over time.
Required API token permissions
At least one of the following token permissions
is required:
Account API GatewayAccount API Gateway ReadDomain API GatewayDomain API Gateway Read
curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/api_gateway/operations/$OPERATION_ID" \ --request GET \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN"You can rate limit requests based on any claim inside of a JSON Web Token (JWT), such as:
- Registered claims like
audorsub - Custom claims like
userEmail, including nested custom claims likeuser.email
Rate limiting based on JWT claim values will only work on valid JSON Web Tokens. If you do not block invalid JSON Web Tokens on your path, the JWT claims will all be counted and possibly blocked if high traffic is detected in the Point of Presence (PoP).
You must also count the JWT claim that uniquely identifies the user. If you select a claim that is the same for many of your users, their rate limits will all be counted together.
If you offer multiple tiers on your website or application and you want to enforce rate limiting based on the tiers, such as:
- If
"aud": "free-tier", rate limit to five requests per minute. - If
"aud": "premium-tier", rate limit to 50 requests per minute.
You can follow the rate limiting rule example below:
(http.request.method eq "GET" andhttp.host eq "<YOUR_DOMAIN>" andhttp.request.uri.path matches "</EXAMPLE_PATH>" andlookup_json_string(http.request.jwt.claims["<JWT_TOKEN_CONFIGURATION_ID>"][0], "aud") eq "free-tier"API Shield will always calculate recommendations when session identifiers are configured. To enable session-based rate limits, subscribe to Advanced Rate Limiting.
Volumetric Abuse Detection is only available for Enterprise customers. If you are an Enterprise customer and interested in this product, contact your account team.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Directory
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- © 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark