Rate limiting

Authorization Control Plane SaaS deployment uses rate limiting to limit the amount of request possible per second. In this article, you can get familiar with actions that may result in your application being rate limited. You can also learn how ACP uses request response headers to provide you with information on your rate limits.

Rate limiting in a nutshell

Rate limiting is a strategy used for limiting network traffic. It puts a limit, for example, on how many API requests can be made to a specific endpoint/API group.

ACP uses rate limiting to prevent the application from rapid configuration changes and aggressive polling. Rate limiting enhances the security of your ACP instance as your ACP APIs are protected from abuse and sustained artificial high load.

Each ACP tenant has a peak requests amount configured per single burst. Additionally, the average limit is calculated as a rolling request amount average from the last hours to make user experience for standard ACP users as smooth as possible without a need to worry about rate limits.

Between ACP tenant’s, rate limits may differ. Rate limits are also used as the primary metric for licensing enforcement. Free tier tenants have limits lower than paid tier. If you find yourself hitting rate limits on a daily basis, consider switching to a paid license for your ACP tenant.

ACP APIs and rate limits

To tackle all of the security challenges mentioned in the section above, all ACP’s APIs are a subject of rate limiting. Limits vary between different types of ACP APIs (Admin APIs, Developer APIs, OAuth2 APIs, and more).

Exceeding the rate limit for your ACP APIs, results in the HTTP 429 error with the error message stating Too many requests. You can check the amount of time that it takes before you start using a particular API by reviewing the value of the retry-after request response header. To learn more about response headers that concern rate limiting, see the HTTP response headers for rate limits section.

Getting the 429 error

If you had triggered the HTTP 429 error, please, refrain from any additional requests until the time specified in the retry-after response header elapses.

HTTP response headers for rate limits

Header Description
X-RateLimit-Limit Limit is the maximum number of requests that could be permitted instantaneously for this key starting from an empty state. For example, if a rate limiter allows 10 requests per second per key, limit is always 10.
X-RateLimit-Remaining Remaining is the maximum number of requests that could be permitted instantaneously for the given key in the current state. For example, if the rate limiter allows 10 requests per second and has already received 6 requests for this key during this second, Remaining is 4.
X-Ratelimit-Reset ResetAfter is the time until the rate limiter returns to its initial state for a given key. For example, if a rate limiter manages requests per second and received one request 200ms ago, ResetAfter returns 800ms. You can also think of this as the time until the Limit and Remaining are equal.
Retry-After The Retry-After response header is present in the response if the HTTP 429 error was triggered. It specifies the amount of time that should elapse before a next request for a given key is made`. |


You can view the response headers in the Network tab in the developer tools for your browser. You can also check them by adding the -v (verbose) flag to your CURL request.

ACP Free tier rate limits

The table below presents rate limits for the free tier of the ACP SaaS solution:

API group Time period in minutes Rate Burst
Admin 1 300 50
Developer 1 600 50
Public 1 3000 500
OAuth2 1 3000 500
OpenBanking 1 600 100
Web 1 3000 1000
System 1 3000 100

Rate limits

Cloudentity reserves the right to change the rate limits for the free tier at any time without any prior notice. For most up-to-date information on rate limits, check the response headers for the rate-limited APIs.

OTP limits

For testing multi-factor authentication (MFA), ACP users can use the send test OTP message endpoint that provides them with one time passwords. This endpoint is also rate limited to prevent email spam and abuse. You can send one request to the /test enpoint per minute with the burst also set to one.