wso2 · Saadha123 · Apr 9, 2026 · Apr 9, 2026 · Apr 9, 2026 · Apr 9, 2026
diff --git a/gateway/gateway-controller/default-policies/advanced-ratelimit.yaml b/gateway/gateway-controller/default-policies/advanced-ratelimit.yaml
@@ -1,5 +1,5 @@
 name: advanced-ratelimit
-version: v1.0.2
+version: v1.0.3
 description: |
   Applies advanced rate limits using fixed-window (default) or GCRA algorithms with multi-quota controls,
   configurable key and cost extraction, and memory or Redis storage.

diff --git a/gateway/gateway-controller/default-policies/api-key-auth.yaml b/gateway/gateway-controller/default-policies/api-key-auth.yaml
@@ -1,5 +1,5 @@
 name: api-key-auth
-version: v1.0.1
+version: v1.0.2
 description: |
   Secures APIs by validating API keys in incoming requests. API keys can be
   provided through a configured HTTP header or query parameter.

diff --git a/gateway/gateway-controller/default-policies/llm-cost-based-ratelimit.yaml b/gateway/gateway-controller/default-policies/llm-cost-based-ratelimit.yaml
@@ -1,5 +1,5 @@
 name: llm-cost-based-ratelimit
-version: v1.0.2
+version: v1.0.3
 description: |
   A specialized rate limiting policy for LLMs that limits usage based on monetary budgets.
   The policy reads costs from SharedContext.Metadata under "x-llm-cost" (set by the llm-cost
@@ -42,6 +42,16 @@ parameters:
               Examples: "1h" (1 hour), "24h" (1 day), "168h" (1 week), "720h" (30 days)
             pattern: "^(([0-9]+(\\.[0-9]*)?|\\.[0-9]+)(ns|us|µs|ms|s|m|h))+$"
 
+    consumerBased:
+      type: boolean
+      x-wso2-policy-advanced-param: false
+      description: |
+        When true, rate limits are applied per consumer (GenAI application) identified
+        by the x-wso2-application-id metadata key set by the api-key-auth policy.
+        Each application gets its own independent cost counter.
+        When false (default), a single shared limit applies across all consumers.
+      default: false
+
 systemParameters:
   type: object
   additionalProperties: false

diff --git a/gateway/gateway-controller/default-policies/token-based-ratelimit.yaml b/gateway/gateway-controller/default-policies/token-based-ratelimit.yaml
@@ -1,5 +1,5 @@
 name: token-based-ratelimit
-version: v1.0.2
+version: v1.0.3
 description: |
   Enforces token-based rate limits for LLM traffic by resolving token extraction
   paths from provider templates and delegating enforcement to the
@@ -75,6 +75,15 @@ parameters:
             description: Specifies the duration window for the limit as a Go
               duration string, for example "1s", "1m", "1h", or "24h".
             pattern: "^[-+]?(([0-9]+(\\.[0-9]*)?|\\.[0-9]+)(ns|us|µs|ms|s|m|h))+$"
+    consumerBased:
+      type: boolean
+      x-wso2-policy-advanced-param: false
+      description: |
+        When true, rate limits are applied per consumer (GenAI application) identified
+        by the x-wso2-application-id metadata key set by the api-key-auth policy.
+        Each application gets its own independent token counter.
+        When false (default), a single shared limit applies across all consumers.
+      default: false
   oneOf:
     - required: ["promptTokenLimits"]
       not: