Protect against abuse or misuse

Our API has been built for easy to use, fast response times and efficiently use of memory databases. But we will still have a throttling system in place to protect against abuse or misuse of the API. For example, a malicious actor could flood the API with requests in an attempt to overload it or cause disruptions in service. By setting rate limits we can prevent this kind of activity.

Fair access to everyone

If one makes excessive number of requests it could affect other users. By throttling and efficiently give clear response headers we ensure that everyone can use the API with ultra low response times and deal with the various rate limitations.

Rate limiter types

We have three different rate limiters:

  • Requests per month (period from the actual reset time)
  • Requests per minute which is a sliding measurement)
  • Requests originating from number of IP-addresses

Headers sent to the client

KeyDescription
X-RateLimit-ResetRate limit will reset in number of seconds from the response
X-RateLimit-LimitThe actual number of requests you can carry out over the current period
X-RateLimit-RemainingThe number of remaining request you can carry out before the period resets
X-RateLimit-Limit-MinuteThe number of requests you can carry out per minute
X-RateLimit-Limit-IPThe number of requests you have left in the actual current minute period
X-RateLimit-Remaining-MinuteThe number of IP adresses you are allowed to carry out requests from
X-RateLimit-Remaining-IPThe number of IP adresses left which you are allowed to carry out requests from

Body response

Whenever a rate limiter is triggered a http status code 429 (too many requests) would be returned with a json response in the body similar to the example below which indicates which header keys are subject to the trigger and whenever it resets.

Example response
{
  "status": 429,
  "detail": "Too many requests, buy more or upgrade your subscription, check header X-RateLimit-Reset. Will reset at 2024-11-17 07:10:53.",
  "urlForDocumentation": "https://docs.tic.io/throttling"
}

Limit by IP Address

The limits by number of IP addresses is to protect in the case that keys have been exposed. By default TIC will capture the downstream IP address X-Real-IP or X-Forwarded-For.