- Updated: March 18, 2026
- 4 min read
Ready‑to‑Use OPA Policy Templates for OpenClaw Edge Token‑Bucket Rate Limiter
# Ready‑to‑Use OPA Policy Templates for OpenClaw Edge Token‑Bucket Rate Limiter
*Author: Senior Engineer*
—
OpenClaw Edge provides a powerful token‑bucket rate limiter that can be driven by Open Policy Agent (OPA) policies. Below you will find ready‑to‑use OPA policy templates for three common scenarios:
1. **Per‑agent limits** – enforce a different quota per client identifier.
2. **Burst control** – allow short spikes while keeping the long‑term rate in check.
3. **Dynamic quota adjustments** – change limits on‑the‑fly based on external signals (e.g., subscription tier).
Each section contains a complete Rego policy, a short explanation, and step‑by‑step instructions on how to plug it into OpenClaw Edge.
—
## 1. Per‑Agent Limits
### Policy (`per_agent.rego`)
rego
package openclaw.rate_limit
# Define a default quota (tokens per second) for unknown agents
default_quota := 10
# Map of known agents to their specific quotas
agent_quota := {
“agent‑alpha”: 20,
“agent‑beta”: 5,
“agent‑gamma”: 15,
}
# The entry point expected by OpenClaw Edge
allow {
input := {
“key”: input.request.headers[“x‑agent‑id”][0],
“tokens”: 1,
“capacity”: get_quota(input.request.headers[“x‑agent‑id”][0]),
}
# The decision is delegated to the built‑in token‑bucket evaluator
result := data.openclaw.token_bucket.allow(input)
result.allowed
}
# Helper to fetch the quota for a given agent
get_quota(agent) = quota {
quota := agent_quota[agent]
} else = default_quota {
true
}
### How to Deploy
1. Save the policy as `per_agent.rego` in your OPA bundle.
2. Configure OpenClaw Edge to point to the OPA endpoint (`/v1/data/openclaw/rate_limit/allow`).
3. Ensure every request includes the `X-Agent-Id` header.
4. Restart OPA and OpenClaw Edge.
—
## 2. Burst Control
### Policy (`burst_control.rego`)
rego
package openclaw.rate_limit
# Fixed capacity and refill rate for the bucket
capacity := 100 # maximum tokens the bucket can hold
refill_rate := 10 # tokens added per second
allow {
input := {
“key”: “global”,
“tokens”: 1,
“capacity”: capacity,
“refill”: refill_rate,
}
result := data.openclaw.token_bucket.allow(input)
result.allowed
}
### Steps
1. Place `burst_control.rego` in the OPA bundle.
2. The `key` is set to a constant (`”global”`) so the bucket is shared across all callers.
3. Adjust `capacity` to define the maximum burst size and `refill_rate` for the sustained rate.
4. Deploy and verify with a load‑test tool – you should see short spikes accepted until the bucket empties, then a steady rate.
—
## 3. Dynamic Quota Adjustments
### Policy (`dynamic_quota.rego`)
rego
package openclaw.rate_limit
# External data source that holds the current quota per tenant
import data.tenants.quota
allow {
tenant := input.request.headers[“x‑tenant‑id”][0]
quota_val := quota[tenant]
input := {
“key”: tenant,
“tokens”: 1,
“capacity”: quota_val,
}
result := data.openclaw.token_bucket.allow(input)
result.allowed
}
### Deployment Workflow
1. Create a JSON document in OPA’s data store, e.g., `tenants/quota.json`:
{
“tenant‑a”: 50,
“tenant‑b”: 20,
“tenant‑c”: 100
}
2. Whenever a subscription changes, update this document via OPA’s REST API (`PUT /v1/data/tenants/quota`).
3. The policy automatically picks up the new limits without a restart.
4. Ensure each request carries `X-Tenant-Id`.
—
## Putting It All Together
You can combine the three policies into a single bundle and use a switch based on request headers to select the appropriate bucket logic. The following high‑level flow illustrates the process:
1. **Identify the scenario** – check for `X-Agent-Id`, `X-Tenant-Id`, or fall back to global burst.
2. **Select the policy** – call the corresponding rule (`allow_per_agent`, `allow_burst`, `allow_dynamic`).
3. **Enforce** – OpenClaw Edge will reject requests when the bucket denies.
### Example Integration Snippet (Go)
go
func rateLimitDecision(r *http.Request) (bool, error) {
// Build OPA input payload
input := map[string]interface{}{
“request”: map[string]interface{}{
“headers”: r.Header,
},
}
// Call OPA
resp, err := http.Post(“http://opa:8181/v1/data/openclaw/rate_limit/allow”, “application/json”, bytes.NewReader(mustJSON(input)))
if err != nil {
return false, err
}
defer resp.Body.Close()
var result struct{ Result struct{ Allowed bool `json:”allowed”` } `json:”result”` }
json.NewDecoder(resp.Body).Decode(&result)
return result.Result.Allowed, nil
}
—
## Next Steps
* Deploy the policies to a staging environment and run realistic traffic patterns.
* Tune `capacity` and `refill_rate` based on observed latency and error rates.
* Hook the dynamic quota data source into your billing system for automated upgrades.
For a complete walkthrough of installing OpenClaw Edge, see our **[OpenClaw Edge hosting guide]**(https://ubos.tech/host-openclaw/).
—
*Happy rate‑limiting!*