Authorization Control Plane SaaS deployment uses rate limiting to limit the amount of request possible per second. In this article, you can get familiar with actions that may result in your application being rate limited. You can also learn how ACP uses request response headers to provide you with information on your rate limits.
Rate limiting in a nutshell
Rate limiting is a strategy used for limiting network traffic. It puts a limit, for example, on how many API requests can be made to a specific endpoint/API group.
ACP uses rate limiting to prevent the application from rapid configuration changes and aggressive polling. Rate limiting enhances the security of your ACP instance as your ACP APIs are protected from abuse and sustained artificial high load.
Each ACP tenant has a peak requests amount configured per single burst. Additionally, the average limit is calculated as a rolling request amount average from the last hours to make user experience for standard ACP users as smooth as possible without a need to worry about rate limits.
Between ACP tenant’s, rate limits may differ. Rate limits are also used as the primary metric for licensing enforcement. Free tier tenants have limits lower than paid tier. If you find yourself hitting rate limits on a daily basis, consider switching to a paid license for your ACP tenant.
ACP APIs and rate limits
To tackle all of the security challenges mentioned in the section above, all ACP’s APIs are a subject of rate limiting. Limits vary between different types of ACP APIs (Admin APIs, Developer APIs, OAuth2 APIs, and more).
Exceeding the rate limit for your ACP APIs, results in the
HTTP 429 error
with the error message stating
Too many requests. You can check the amount of
time that it takes before you start using a particular API by reviewing the value of the
retry-after request response header. To learn more about response headers that concern rate
limiting, see the HTTP response headers for rate limits section.
Getting the 429 error
If you had triggered the
HTTP 429error, please, refrain from any additional requests until the time specified in the
retry-afterresponse header elapses.
HTTP response headers for rate limits
You can view the response headers in the Network tab in the developer tools for your browser. You can also check them by adding the
-v(verbose) flag to your CURL request.
ACP Free tier rate limits
The table below presents rate limits for the free tier of the ACP SaaS solution:
|API group||Time period in minutes||Rate||Burst|
Cloudentity reserves the right to change the rate limits for the free tier at any time without any prior notice. For most up-to-date information on rate limits, check the response headers for the rate-limited APIs.
For testing multi-factor authentication (MFA), ACP users can use
the send test OTP message endpoint
that provides them with one time passwords. This endpoint is also rate limited to prevent email
spam and abuse. You can send one request to the
/test enpoint per minute with the burst also set