Thrysha API
Quota API lets you enforce per-resource quotas with simple HTTP APIs.
Use this API to register resources, attach quota rules, and then check or consume usage. Typical use cases include daily API call limits, monthly credit balances, or per-tenant rate limits.
Use this URL for all API requests: https://quota-api.thrysha.io.
Every request must send its API key in the Authorization header.
API keys are required for every endpoint. Keep them server-side only, rotate them regularly, and scope them per environment. Requests with missing or invalid keys are rejected before any work is done.
Authorization: Bearer <API_KEY> Content-Type: application/json
How resources, rules, and enforcement fit together.
• Resource – A logical thing being limited (e.g., “Payments API calls”, “SMS sends”, “team seats”). • Quota rule – Policy attached to a resource that defines how much usage is allowed and when it resets. • quota_policy – "limited" enforces a hard cap; "unlimited" only tracks usage. • enforcement_mode – "enforced" blocks over-limit usage; "observe" records usage but always allows. • reset_strategy – includes unit (hour/day/week/month/year/never) and interval (>0, ignored for never) to control resets. • idempotency – request_id ensures retries don't double-charge or double-consume.
A concrete example of capping a domain-specific action with quotas.
Suppose you want to limit how many apples can be discarded each day. Create a resource that represents the discard action, attach a limited fixed-window rule that resets daily, then check or consume against it. This pattern generalizes to “per day”, “per month”, or “lifetime” limits.
1) POST /v1/resources
→ create "apples-discard"
2) POST /v1/quota-rules
→ quota_policy=limited
→ quota_limit=100
→ reset_strategy={ unit: "day", interval: 1 }
→ enforcement_mode=enforced
3) POST /v1/quota/check
→ preflight a discard (amount=1 or 0)
4) POST /v1/quota/consume
→ record a discard (amount=1) with request_id for idempotencyUse reset_strategy { unit: "day", interval: 1 }; set enforcement_mode=enforced to block over-limit discards.
Define a resource that quota rules attach to.
Use this to register a billable or rate-limited entity (API, feature, or customer-facing action). Each resource should be stable and unique so usage and limits stay aligned over time.
POST /v1/resources
{
"name": "Payments API",
"description": "Used by service A"
}{
"id": "res_abcd1234",
"account_id": "acct_123",
"name": "Payments API",
"description": "Used by service A",
"created_at": "2025-01-10T12:34:56Z"
}const res = await fetch("https://quota-api.thrysha.io/v1/resources", {
method: "POST",
headers: {
"Content-Type": "application/json",
"Authorization": "Bearer <API_KEY>",
},
body: JSON.stringify({ name: "Payments API", description: "Used by service A" }),
});
const data = await res.json();Fetch all resources for the authenticated account.
Enumerate resources to audit what is being metered, surface IDs for automation, and reconcile against your product catalog.
GET /v1/resources?page=1&page_size=50
{
"items": [
{
"id": "res_abcd1234",
"account_id": "acct_123",
"name": "Payments API",
"created_at": "..."
}
],
"page": 1,
"page_size": 50,
"total": 1
}const res = await fetch("https://quota-api.thrysha.io/v1/resources?page=1&page_size=50", {
headers: {
"Authorization": "Bearer <API_KEY>",
},
});
const data = await res.json();Remove a resource by ID.
Use for cleanup when a resource is retired. Deleting removes it from future listings; ensure you have no active rules or dependencies before deleting.
DELETE /v1/resources/{resourceID}{ "status": "deleted" }await fetch("https://quota-api.thrysha.io/v1/resources/res_abcd1234", {
method: "DELETE",
headers: {
"Authorization": "Bearer <API_KEY>",
},
});Attach quota policy, limits, and reset strategy to a resource.
Define how usage is tracked: limited rules enforce caps and require quota_limit + enforcement_mode; unlimited rules observe usage without blocking. reset_strategy now takes unit (hour/day/week/month/year/never) and interval (>0, ignored for never).
POST /v1/quota-rules
{
"resource_id": "res_abcd1234",
"quota_limit": 1000,
"quota_policy": "limited", // optional, defaults to "limited"
"reset_strategy": {
"unit": "hour", // hour | day | week | month | year | never
"interval": 1 // > 0; ignored for "never"
},
"enforcement_mode": "enforced" // or "non_enforced"
}{
"id": "qr_123",
"resource_id": "res_abcd1234",
"quota_policy": "limited",
"quota_limit": 1000,
"reset_strategy": { "unit": "hour", "interval": 1 },
"enforcement_mode": "enforced",
"created_at": "..."
}await fetch("https://quota-api.thrysha.io/v1/quota-rules", {
method: "POST",
headers: {
"Content-Type": "application/json",
"Authorization": "Bearer <API_KEY>",
},
body: JSON.stringify({
resource_id: "res_abcd1234",
quota_policy: "limited",
quota_limit: 1000,
reset_strategy: { unit: "hour", interval: 1 },
enforcement_mode: "enforced",
}),
});Get quota rules for a resource.
Inspect current limits and reset strategies for a resource. Useful for dashboards, audits, and ensuring clients see active enforcement settings.
GET /v1/quota-rules?resource_id=res_abcd1234&page=1&page_size=50
{
"items": [
{
"id": "qr_123",
"resource_id": "res_abcd1234",
"quota_limit": 1000,
"quota_policy": "limited",
"reset_strategy": "fixed_window",
"reset_interval_seconds": 3600,
"enforcement_mode": "enforced",
"created_at": "..."
}
],
"page": 1,
"page_size": 50,
"total": 1
}const res = await fetch("https://quota-api.thrysha.io/v1/quota-rules?resource_id=res_abcd1234&page=1&page_size=50", {
headers: {
"Authorization": "Bearer <API_KEY>",
},
});
const data = await res.json();Remove a quota rule by ID.
Stop enforcing or observing usage for a resource. Ensure you create a replacement rule if the resource still needs coverage.
DELETE /v1/quota-rules/{ruleID}{ "status": "deleted" }await fetch("https://quota-api.thrysha.io/v1/quota-rules/qr_123", {
method: "DELETE",
headers: {
"Authorization": "Bearer <API_KEY>",
},
});Check usage without consuming it (amount can be 0).
Preflight requests to see if they would be allowed. No counters are consumed. Ideal for client gating and showing remaining balances before acting.
POST /v1/quota/check
{
"resource_id": "res_abcd1234",
"subject_id": "sub_1234",
"amount": 0
}{
"allowed": true,
"remaining": 975,
"limit": 1000
}const res = await fetch("https://quota-api.thrysha.io/v1/quota/check", {
method: "POST",
headers: {
"Content-Type": "application/json",
"Authorization": "Bearer <API_KEY>",
},
body: JSON.stringify({ resource_id: "res_abcd1234", subject_id: "sub_1234", amount: 0 }),
});
const data = await res.json();Consume usage with an idempotent request_id.
Use this to record usage and enforce limits. Provide a stable request_id to avoid double-charging on retries. Enforced rules block when limits are exceeded; observe rules only log usage.
POST /v1/quota/consume
{
"resource_id": "res_abcd1234",
"subject_id": "sub_1234",
"amount": 25,
"request_id": "unique-idempotency-key"
}{
"allowed": true,
"remaining": 950
}const res = await fetch("https://quota-api.thrysha.io/v1/quota/consume", {
method: "POST",
headers: {
"Content-Type": "application/json",
"Authorization": "Bearer <API_KEY>",
},
body: JSON.stringify({
resource_id: "res_abcd1234",
subject_id: "sub_1234",
amount: 25,
request_id: "unique-idempotency-key",
}),
});
const data = await res.json();Usage increments are stored in memory and flushed periodically. In rare failure scenarios (e.g., Redis process crash), increments from the last few minutes may not be persisted.
This affects reporting accuracy for the most recent window but does not affect quota enforcement, which always uses the live counter state at the moment of the request.