Probe an API's rate limits with synthetic load to validate published limits, burst behavior, and 429 response headers.
Sends a calibrated traffic profile to an API and observes when 429 responses begin, how the Retry-After and RateLimit-* headers behave, and how quickly the server recovers. Compares observed limits to documented ones.
endpoint: full URL to probe.auth_header (optional): a header to include for authenticated rate limits.documented_rps: the published rate limit (used as the test target).burst_size: documented burst (default documented_rps).documented_rps - 10% to documented_rps + 50% over 60 seconds, then holds.k6 run script.js -o json=results.json and capture per-second response status and latency.observed_throttle_rps.RateLimit-Limit, RateLimit-Remaining, RateLimit-Reset (or legacy X-RateLimit-*) and Retry-After headers from 429 responses; verify they conform to RFC drafts.burst_size + 5 requests in 1 second, then idle for 5 seconds; record number of 429s.observed_throttle_rps to documented_rps. A >20% deviation in either direction is a finding.rate-limit-test.md containing: documented vs observed limits, header conformance check, burst capacity finding, recovery time, and a verdict (conforms / deviates / non-conformant-headers). Plus the raw k6 results JSON.
Re-run the test from a different IP/region; rate limits are often per-IP, and a regional difference indicates per-region limits exist. For each header observation, manually fetch one request and confirm the header parser matches the actual server output. If the API uses a leaky-bucket vs token-bucket scheme, the burst behavior will reveal it; document the inferred algorithm.
Server header).Other publishers' experience with this skill. Self-rating is blocked.
Ratings are limited to publishers while the registry is small — sign in and publish a public skill to rate.
No ratings yet. Be the first.
Same domains or capabilities as amitte/rate-limit-tester.
Diff two OpenAPI YAML files and produce a backwards-compatibility changelog grouped into breaking, non-breaking, and additive changes.
Audit an AWS IAM policy against CloudTrail usage data and propose a minimized policy listing only actions actually invoked in the analysis window.
Map a SOC2 or ISO 27001 control to evidence artifacts in a typical engineering org — produce a list of artifacts, owners, and the query or path that produces each.
Scan a container image with Trivy or Grype and surface fixes ranked by exploitability and patch availability.
Audit a CORS configuration for over-permissive Origin, Methods, and Headers and propose a tightened policy keyed to actual cross-origin call patterns.
Tighten a Content-Security-Policy by stripping wildcards and verifying the result against actual page resource loads observed in browser logs.