API Gateway limits and quotas-API Gateway(API Gateway)-阿里云帮助中心

API Gateway imposes limits on API groups, domain names, connections, and request rates.

Item	Limits
Users	Real-name authentication required.
API groups	- Up to 200 API groups per region per account, including both domain-bound and unbound groups. - By default, up to 5 unbound API groups per region. If the account has any domain-bound groups in the region, the unbound limit increases to 20. To request a higher quota, submit a ticket.
Public second-level domain name	API calls through the public second-level domain name: - Up to 1,000 calls per day in Chinese mainland regions. Up to 100 calls per day in the China (Hong Kong) region and other regions outside the Chinese mainland. - Browser-based calls download data by default.
Independent domain names	Up to 5 per API group, including wildcard domain names.
APIs per group	Up to 1,000 per API group.
Requests per second (RPS)	- For dedicated instances, the RPS limit per API group depends on the instance specification. Important RPS calculation includes all requests that reach API Gateway, including non-200 responses. The combined request and response rate cannot exceed 4,000 per second.
Connections	- The connection limit per dedicated instance depends on the instance specification.
Applications	- Up to 1,000 applications per account by default. To request a higher quota, submit a ticket. - Up to 1,000 applications per API. To request a higher quota, submit a ticket.
HTTP requests	- Maximum URL + header size: 8 KB. - Maximum request body: 8 MB (serverless instances), 32 MB (dedicated instances). - Response body size: unlimited, but must complete within the timeout period.
Function Compute response	Maximum response body size: 6 MB.
HTTP and OSS backend services	HTTP and OSS backend services are unavailable in the China (Hong Kong) region and regions outside the Chinese mainland.
Default circuit breaker protection	If 1,000 backend timeouts occur within 30 seconds, the circuit breaker trips for 90 seconds. During this period, new requests receive `Status=503` and `X-Ca-Error-Code=D503CB`. After 90 seconds, the breaker enters a half-open state, allowing limited requests through. If the backend recovers, the breaker closes and resumes full traffic. Configure a custom circuit breaker plug-in for dedicated instances. For more information, see Circuit breaker plug-ins (for dedicated instances only). Note Third-party authentication plug-ins also provide a default circuit breaker mechanism.