I am implementing Spike Arrest policy in my Apigee proxy. I added the policy in proxy preflow as a first policy to execute as I don’t want to execute other policies in the proxy for unwanted calls.
My backend can handle 100tps calls.
With that configuration, I am seeing the issue as -
When one valid batch client calling the API with incorrect clientId/token, after 100 calls Apigee gateway throws 429 error for any further call, even if the call comes from a different client with the second.
To solve the issue I thought to add the Token validation policy before Spike arrest. But then I am losing control to handle robocalls for the authorization server.
Which will the best way to solve this condition? Where should I add the spike arrest policy in the proxy?