API Call limits causing issues

[chrisl...@gmail.com]

I'm receiving sporadic messages this morning due to the API limits that were put into place recently.....when I attempt to retrieve locations via API I get the following error:

api.sherpadesk.com/locations?page=0&limit=250&format=json&c=1 resulted in a 409 You may only perform this request every 50 seconds.

I was under the impression that we were limited to 600 call per hour, not every 50 seconds! If I have multiple people using the same program to access the API, there is no way I can abide by these limits. The API basically becomes useless for us. We've had the discussion about the limits being too low for the number of users and assets that we maintain and were told there could be some alternative ways to achieve. Not sure what can be done about this. T

The problem is the paging of records. If we can only retrieve a maximum of 250 records at a time and are limited to 600 API calls in an hour we simply can't use the API for things like retrieving all 44,000 assets! Just to retrieve these assets we would need 176 API calls. If we have multiple users using the program simultaneously (which we do) that 176 API calls quickly becomes more than 600. Now, we don't need to load all 44,000 assets at one time but with these limits there is no way we could possibly do it even if we wanted to. I might as well just maintain my own separate database with the information!

-Chris

[csmtvw...@gmail.com]

Upvote!

[chrisl...@gmail.com]

I just saw the additional information about adding ?format=csv in the API documentation. It will require re-write of every program we have (which I think is crazy) but it might at least give us the option to work with bulk records.

[Eugene Tolmachev]

We  relaxed those limits 

We allow objects at least every 1 sec

Lists of objects every 10 seconds

Only when DTU > 50% we enforce 

We allow objects at least every 5 sec

Lists of objects every 60 seconds

For bulk data (CSV) you can use any limits

Eugene

---

От: sherpad...@googlegroups.com <sherpad...@googlegroups.com> от имени chrisl...@gmail.com <chrisl...@gmail.com>
Отправлено: 6 сентября 2019 г. 18:06
Кому: SherpaDesk API <sherpad...@googlegroups.com>
Тема: Re: API Call limits causing issues

 

I just saw the additional information about adding ?format=csv in the API documentation. It will require re-write of every program we have (which I think is crazy) but it might at least give us the option to work with bulk records.

--
You received this message because you are subscribed to the Google Groups "SherpaDesk API" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sherpadesk-ap...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sherpadesk-api/e6b649ff-4afe-4465-8e49-b3fd0b34a2bc%40googlegroups.com.

[Chris Lamb]

Is there anything returned in the headers to indicate how long we have to wait before the next call when we receive a 409 error? I see an X-Highdtu header but it returns a 5 no matter what message I receive back with the 409 error. In other words, when I receive the error "You may only perform this request every 5 seconds. Because of Very High Database Load!" the X-Highdtu is equal to 5 and when I receive the error "You may only perform this request every 50 seconds. Because of Very High Database Load!" the X-Highdtu is equal to 5. I see no other header keys which would indicate when we are supposed to call the API again. So how are we supposed to program for the API to back off the API calls? There is no way to determine when I can make the next attempt. 

Honestly at this moment, I can't get any consistent results in my test code. I have no idea what the limits are because I can implement 5 second and 50 second delays in the my test script and some calls work, others do not. There's no logical way to determine what works and what doesn't. Kind of hard to program against the restrictions when I don't know what they are. Your reply indicated a limit of every 5 seconds and 60 seconds but the errors I am receiving indicate 5 and 50 seconds. So....what is the true limit? At this point, none of my programs written to connect via the API are working. Would have been nice to be informed about the change prior to it being implemented. 

-Chris

[Eugene Tolmachev]

thanks for feedback, yea we are looking for solution to stabilize situation with DDOS (hacker attack)

Together we will find a solution faster.

What requests you are doing?

I'll senf today our plan on API DDOS prevention

Eugene

---

От: 'Chris Lamb' via SherpaDesk API <sherpad...@googlegroups.com>
Отправлено: 9 сентября 2019 г. 17:31

Кому: SherpaDesk API <sherpad...@googlegroups.com>
Тема: Re: API Call limits causing issues

Is there anything returned in the headers to indicate how long we have to wait before the next call when we receive a 409 error? I see an X-Highdtu header but it returns a 5 no matter what message I receive back with the 409 error. In other words, when I receive the error "You may only perform this request every 5 seconds. Because of Very High Database Load!" the X-Highdtu is equal to 5 and when I receive the error "You may only perform this request every 50 seconds. Because of Very High Database Load!" the X-Highdtu is equal to 5. I see no other header keys which would indicate when we are supposed to call the API again. So how are we supposed to program for the API to back off the API calls? There is no way to determine when I can make the next attempt. 

Honestly at this moment, I can't get any consistent results in my test code. I have no idea what the limits are because I can implement 5 second and 50 second delays in the my test script and some calls work, others do not. There's no logical way to determine what works and what doesn't. Kind of hard to program against the restrictions when I don't know what they are. Your reply indicated a limit of every 5 seconds and 60 seconds but the errors I am receiving indicate 5 and 50 seconds. So....what is the true limit? At this point, none of my programs written to connect via the API are working. Would have been nice to be informed about the change prior to it being implemented. 

-Chris

--

You received this message because you are subscribed to the Google Groups "SherpaDesk API" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sherpadesk-ap...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/sherpadesk-api/a6c0afbf-3c90-4876-bbd5-b8e672150284%40googlegroups.com.

[Lamb, Chris]

Here are all the API endpoints I am utilizing at this time:

 

/login

/organizations

/locations

/users

/assets

 

Essentially we call  /login and /organization to get the login auth keys

I call /locations because our program looks at the logged in user (we use Active Directory for this) location and only allows them to see only users at their location

I call /users to retrieve the list of users at the location to limit the drop-down list to those the logged in user is supposed to see

I call /assets to look up assets by ID when they are checking devices out

Once they have requested to checkout the device, there is a PUT call to update the asset checked-out-to field

 

We also have a script that runs each night which reads all user records and updates the location as well as unique_id from our Active Directory domain. We must do this because the LDAP import does not allow us to map these fields over. This is the one script that will read the most records at one time simply because it has to go through each user in the database. We have to run this nightly because the users on our system change each night.

 

-Chris

[Lamb, Chris]

Eugene,

 

Any way to distinguish between a paid customer vs. someone accessing public API? You may just have to issue API keys and ban those that abuse it.

 

-Chris

 

From: Eugene Tolmachev <eug...@micajah.com>

Sent: Monday, September 9, 2019 10:14 AM
To: SherpaDesk API <sherpad...@googlegroups.com>; Chris Lamb <chris...@apps.wylieisd.net>; Jon Vickers <jon.v...@micajah.com>

[Eugene Tolmachev]

Thanks,

we dont have public api, all requests done by customers, BUT they misuse api and do incorrect heavy requests.

Our current state is:

we never block those requests: /ping, /config, /login, /organizations

if we have low database load we DONT block requests.

if we experience DB misusing we add header X-Highdtu-Mode: 1 

You may only perform this request every 1 seconds for single item and 10 seconds for lists  next 15 minutes because of High Database Load!

if we experience DB overhead we add header X-Highdtu-Mode: 5

You may only perform this request every 5 seconds for single item and 50 seconds for lists  next 30 minutes because of Very High Database Load!

Hope this helps!

Eugene

---

От: Lamb, Chris <Chris...@wylieisd.net>
Отправлено: 9 сентября 2019 г. 19:13
Кому: Eugene Tolmachev <eug...@micajah.com>; SherpaDesk API <sherpad...@googlegroups.com>; Chris Lamb <chris...@apps.wylieisd.net>; Jon Vickers <jon.v...@micajah.com>
Тема: RE: [EXTERNAL]RE: API Call limits causing issues

 

[Lamb, Chris]

Thanks for this information. Did you just change the /login to the never block list? I saw errors earlier this morning when testing saying I could only call every 1 second and every 5 seconds.

 

Also, is the error returned a 409? Normally a Throttle error message is a 429.

 

I’ve set up some test code with simple API calls with delays in them just to test everything out. Will give it a shot and let you know if everything works as explained.

 

Also, I asked the question earlier. Are the limits applied by IP Address or user id or session? Just curious as our web based programs utilize a single defined user for all API calls to make it simple. We also sit behind a NAT firewall so all calls will appear as if they come from the same IP address.

 

--Chris

[Eugene Tolmachev]

Hi,

Thanks, I added login recently. Please check.

I changed 409 to 429

I block by IP. but we are discuss this now.

Eugene

---

От: 'Lamb, Chris' via SherpaDesk API <sherpad...@googlegroups.com>
Отправлено: 9 сентября 2019 г. 21:32

Кому: Eugene Tolmachev <eug...@micajah.com>; SherpaDesk API <sherpad...@googlegroups.com>; Chris Lamb <chris...@apps.wylieisd.net>; Jon Vickers <jon.v...@micajah.com>

Тема: RE: [EXTERNAL]RE: [EXTERNAL]RE: API Call limits causing issues

 

To view this discussion on the web visit https://groups.google.com/d/msgid/sherpadesk-api/9532ffaca60341b9a69f76734093133d%40EX2013MBX.wylieisd.net.

[csmtvw...@gmail.com]

I have re-written my calls to comply, but still randomly incurring a 429 error on my very first call.  If my package runs once every 10 minutes, the first call should not fail because of a throttle issue as I should be outside the threshold. I could understand if my 2nd or subsequent calls encounter a 429, but it's the very 1st one after waiting 10 minutes.  Any advice?  

On Monday, September 9, 2019 at 3:04:06 PM UTC-5, Eugene Tolmachev wrote:

Hi,

Thanks, I added login recently. Please check.

I changed 409 to 429

I block by IP. but we are discuss this now.

Eugene

---

От: 'Lamb, Chris' via SherpaDesk API <sherpad...@googlegroups.com>
Отправлено: 9 сентября 2019 г. 21:32

Кому: Eugene Tolmachev <eug...@micajah.com>; SherpaDesk API <sherpad...@googlegroups.com>; Chris Lamb <chri...@apps.wylieisd.net>; Jon Vickers <jon.v...@micajah.com>

Тема: RE: [EXTERNAL]RE: [EXTERNAL]RE: API Call limits causing issues

Thanks for this information. Did you just change the /login to the never block list? I saw errors earlier this morning when testing saying I could only call every 1 second and every 5 seconds.

 

Also, is the error returned a 409? Normally a Throttle error message is a 429.

 

I’ve set up some test code with simple API calls with delays in them just to test everything out. Will give it a shot and let you know if everything works as explained.

 

Also, I asked the question earlier. Are the limits applied by IP Address or user id or session? Just curious as our web based programs utilize a single defined user for all API calls to make it simple. We also sit behind a NAT firewall so all calls will appear as if they come from the same IP address.

 

--Chris

 

From: Eugene Tolmachev <eug...@micajah.com>
Sent: Monday, September 9, 2019 12:52 PM
To: Lamb, Chris <Chri...@wylieisd.net>; SherpaDesk API <sherpad...@googlegroups.com>; Chris Lamb <chri...@apps.wylieisd.net>; Jon Vickers <jon.v...@micajah.com>
Subject: [EXTERNAL]RE: [EXTERNAL]RE: API Call limits causing issues

 

Thanks,

 

we dont have public api, all requests done by customers, BUT they misuse api and do incorrect heavy requests.

 

Our current state is:

 

we never block those requests: /ping, /config, /login, /organizations

 

if we have low database load we DONT block requests.

 

if we experience DB misusing we add header X-Highdtu-Mode: 1 

You may only perform this request every 1 seconds for single item and 10 seconds for lists  next 15 minutes because of High Database Load!

 

if we experience DB overhead we add header X-Highdtu-Mode: 5

You may only perform this request every 5 seconds for single item and 50 seconds for lists  next 30 minutes because of Very High Database Load!

 

Hope this helps!

 

Eugene

---

От: Lamb, Chris <Chri...@wylieisd.net>

Отправлено: 9 сентября 2019 г. 19:13

Кому: Eugene Tolmachev <eug...@micajah.com>; SherpaDesk API <sherpad...@googlegroups.com>; Chris Lamb <chri...@apps.wylieisd.net>; Jon Vickers <jon.v...@micajah.com>

Тема: RE: [EXTERNAL]RE: API Call limits causing issues

Eugene,

 

Any way to distinguish between a paid customer vs. someone accessing public API? You may just have to issue API keys and ban those that abuse it.

 

-Chris

 

From: Eugene Tolmachev <eug...@micajah.com>
Sent: Monday, September 9, 2019 10:14 AM
To: SherpaDesk API <sherpad...@googlegroups.com>; Chris Lamb <chri...@apps.wylieisd.net>; Jon Vickers <jon.v...@micajah.com>
Subject: [EXTERNAL]RE: API Call limits causing issues

 

thanks for feedback, yea we are looking for solution to stabilize situation with DDOS (hacker attack)

 

Together we will find a solution faster.

 

What requests you are doing?

 

I'll senf today our plan on API DDOS prevention

 

Eugene

 

 

 

 

---

От: 'Chris Lamb' via SherpaDesk API <sherpad...@googlegroups.com>
Отправлено: 9 сентября 2019 г. 17:31
Кому: SherpaDesk API <sherpad...@googlegroups.com>
Тема: Re: API Call limits causing issues

 

Is there anything returned in the headers to indicate how long we have to wait before the next call when we receive a 409 error? I see an X-Highdtu header but it returns a 5 no matter what message I receive back with the 409 error. In other words, when I receive the error "You may only perform this request every 5 seconds. Because of Very High Database Load!" the X-Highdtu is equal to 5 and when I receive the error "You may only perform this request every 50 seconds. Because of Very High Database Load!" the X-Highdtu is equal to 5. I see no other header keys which would indicate when we are supposed to call the API again. So how are we supposed to program for the API to back off the API calls? There is no way to determine when I can make the next attempt. 

 

Honestly at this moment, I can't get any consistent results in my test code. I have no idea what the limits are because I can implement 5 second and 50 second delays in the my test script and some calls work, others do not. There's no logical way to determine what works and what doesn't. Kind of hard to program against the restrictions when I don't know what they are. Your reply indicated a limit of every 5 seconds and 60 seconds but the errors I am receiving indicate 5 and 50 seconds. So....what is the true limit? At this point, none of my programs written to connect via the API are working. Would have been nice to be informed about the change prior to it being implemented. 

 

-Chris

--
You received this message because you are subscribed to the Google Groups "SherpaDesk API" group.

To unsubscribe from this group and stop receiving emails from it, send an email to sherpad...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/sherpadesk-api/a6c0afbf-3c90-4876-bbd5-b8e672150284%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "SherpaDesk API" group.

To unsubscribe from this group and stop receiving emails from it, send an email to sherpad...@googlegroups.com.

[Eugene Tolmachev]

I think problem is one IP address. Corporate firewall. 

We change our logic to filter by api key and up , not ip only. 

Eugene

10 сент. 2019 г., в 20:11, cdzi...@wi-tronix.com <csmtvw...@gmail.com> написал(а):

To unsubscribe from this group and stop receiving emails from it, send an email to sherpadesk-ap...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sherpadesk-api/27ad0ad4-8271-4ee2-9bb1-dc0b62749df7%40googlegroups.com.

[Lamb, Chris]

Eugene,

 

Can you clarify that statement? I am not sure what you mean by “and up”.

 

Are you saying each API call should be from a different authorized account if you want to have different call limits applied for each instance of the program running?

 

-Chris

--
You received this message because you are subscribed to a topic in the Google Groups "SherpaDesk API" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/sherpadesk-api/mz_M-XvVmj8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to sherpadesk-ap...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sherpadesk-api/364BF396-285F-4E2D-A14D-AE6BFB1F227C%40micajah.com.

[Eugene Tolmachev]

Sorry for typo. I meant we will allow to requests from same IP and different api key

This week. 

We enforce limits only on high database usage. 

Otherwise no time limits. 

Eugene 

10 сент. 2019 г., в 22:24, Lamb, Chris <Chris...@wylieisd.net> написал(а):