partial

patriciasantaana · patriciasantaana · commit 6f5a673c5101 · 2025-07-17T13:58:07.000-07:00
diff --git a/src/content/docs/api-shield/security/jwt-validation/index.mdx b/src/content/docs/api-shield/security/jwt-validation/index.mdx
@@ -6,7 +6,7 @@ sidebar:
 
 ---
 
-import { GlossaryTooltip, Steps, Tabs, TabItem } from "~/components"
+import { GlossaryTooltip, Steps, Tabs, TabItem, Render } from "~/components"
 
 <GlossaryTooltip term="JSON web token (JWT)">JSON web tokens (JWT)</GlossaryTooltip> are often used as part of an authentication component on many web applications today. Since JWTs are crucial to identifying users and their access, ensuring the token’s integrity is important.
 
@@ -103,29 +103,7 @@ If you expect to migrate between two different identity providers, you must crea
 
 API Shield will verify JSON Web Tokens regardless of whether or not they have the `Bearer` prefix.
 
-### Rate limit by user (JWT claim)
-
-You can rate limit requests based on any claim inside of a JSON Web Token (JWT), such as registered claims like `aud` or `sub`, or custom claims like `userEmail` or nested custom claims like `user.email`.
-
-Rate limiting based on JWT claim values will only work on valid JSON Web Tokens. If you do not block invalid JSON Web Tokens on your path, the [JWT claims will all be counted and possibly blocked](https://developers.cloudflare.com/waf/rate-limiting-rules/parameters/#missing-field-versus-empty-value) if high traffic is detected in the Point of Presence (PoP).
-
-You must also count the JWT claim that uniquely identifies the user. If you select a claim that is the same for many of your users, their rate limits will all be counted together.
-
-### Rate limit by user tier
-
-If you offer multiple tiers on your website or application and you want to enforce rate limiting based on the tiers, such as:
-
-- If `"aud": "free-tier"`, rate limit to five requests per minute
-- If `"aud": "premium-tier"`, rate limit to 50 requests per minute
-
-You can follow the rate limiting rule example below:
-
-```txt title="Rule example"
-(http.request.method eq "GET" and
-http.host eq "<YOUR_DOMAIN>" and
-http.request.uri.path matches "</EXAMPLE_PATH>" and
-lookup_json_string(http.request.jwt.claims["<JWT_TOKEN_CONFIGURATION_ID>"][0], "aud") eq "free-tier"
-```
+<Render file="rate-limit-user" />
 
 ## Availability
 
diff --git a/src/content/docs/api-shield/security/volumetric-abuse-detection.mdx b/src/content/docs/api-shield/security/volumetric-abuse-detection.mdx
@@ -7,7 +7,7 @@ sidebar:
 
 ---
 
-import { GlossaryTooltip, Steps } from "~/components"
+import { GlossaryTooltip, Steps, Render } from "~/components"
 
 Cloudflare Volumetric Abuse Detection helps you set up a system of adaptive rate limiting.
 
@@ -60,6 +60,10 @@ Refer to the [Rules documentation](https://developers.cloudflare.com/waf/rate-li
 
 [Rate limit recommendations are available via the API](/api/resources/api_gateway/subresources/operations/methods/get/) if you would like to dynamically update rate limits over time.
 
+## Special cases 
+
+<Render file="rate-limit-user" />
+
 ## Limitations
 
 API Shield will always calculate recommendations when session identifiers are configured. To enable session-based rate limits, [subscribe to Advanced Rate Limiting](/waf/rate-limiting-rules/#availability).
diff --git a/src/content/partials/api-shield/rate-limit-user.mdx b/src/content/partials/api-shield/rate-limit-user.mdx
@@ -0,0 +1,28 @@
+---
+{}
+
+---
+
+### Rate limit by user (JWT claim)
+
+You can rate limit requests based on any claim inside of a JSON Web Token (JWT), such as registered claims like `aud` or `sub`, or custom claims like `userEmail` or nested custom claims like `user.email`.
+
+Rate limiting based on JWT claim values will only work on valid JSON Web Tokens. If you do not block invalid JSON Web Tokens on your path, the [JWT claims will all be counted and possibly blocked](https://developers.cloudflare.com/waf/rate-limiting-rules/parameters/#missing-field-versus-empty-value) if high traffic is detected in the Point of Presence (PoP).
+
+You must also count the JWT claim that uniquely identifies the user. If you select a claim that is the same for many of your users, their rate limits will all be counted together.
+
+### Rate limit by user tier
+
+If you offer multiple tiers on your website or application and you want to enforce rate limiting based on the tiers, such as:
+
+- If `"aud": "free-tier"`, rate limit to five requests per minute
+- If `"aud": "premium-tier"`, rate limit to 50 requests per minute
+
+You can follow the rate limiting rule example below:
+
+```txt title="Rule example"
+(http.request.method eq "GET" and
+http.host eq "<YOUR_DOMAIN>" and
+http.request.uri.path matches "</EXAMPLE_PATH>" and
+lookup_json_string(http.request.jwt.claims["<JWT_TOKEN_CONFIGURATION_ID>"][0], "aud") eq "free-tier"
+```
