Thanks for the Clarifications Eric. This is very helpful -Subba -----Original Message----- From: Eric Wittmann [mailto:eric.wittmann@redhat.com] Sent: Friday, May 27, 2016 9:04 AM To: Subbarao Denduluri <sdenduluri(a)ebsco.com>; apiman-user(a)lists.jboss.org Subject: Re: APIMAN rate limiting policy granularity (adding the apiman-user list for posterity) Thanks for the question. Here are definitions of these two granularities: User: only possible when also using Authentication (basic or oauth), the granularity is based off the username of the authenticated user as well as the API information. In other words, the "rate limiting counter id" for this would be: username+apiOrgId+apiId+apiVersion Client: only possible for non-public APIs - this is based off the API Key of the client app issuing the rquest. In other words, the "rate limiting counter id" for this would be: API Key+apiOrgId+apiId+apiVersion I hope that helps! -Eric On 5/26/2016 3:40 PM, Subbarao Denduluri wrote: