Clarification of rate limits in v3.0
112 views
Skip to first unread message
Jason
Aug 31, 2020, 12:30:40 AM8/31/20
to ORCID API Users
Hi ORCID team,
Can I/we get the current limits enforced on API calls, i.e., in the banner above there's:
> v1.2: Request per second - 8; Burst (number of request allowed to be queued before rejecting) - 40
> v2.0: Request per second - 24; Burst - 40
> If you exceed the burst, you'll get a 503 responses, and if you keep hitting the limits you'll get a message from us about how to better optimize your calls,
We assume the limits for v3.0 are the same as those under v2.0, but is that the case?
We've also had the question of whether the three-legged OAuth call is exempt from throttling; we believe so, but can't find a notice either way.
Cheers,
Jason.
Pedro Costa
Sep 1, 2020, 4:55:57 AM9/1/20
to ORCID API Users
Hi Jason,
Thanks for posting.
These are the limits for v3.0:
Member: 24 requests per second; 60 burst
Public: 24 requests per second; 40 burst
We're going to post these limits in the group banner too.
We're currently testing changes to our load balancing and DNS configuration on Sandbox that affect rate limiting, so there will be some variation on Sandbox until we get everything totally sorted. In the near future, there may also be changes to Production, which we will announce in advance.
With regards to your question about the three-legged OAuth call and throttling, I assume you're referring to /oauth/token requests. In that case, the limit is 48 requests per second; 75 burst.
Jason
Sep 1, 2020, 6:03:11 PM9/1/20
to ORCID API Users
Thanks Pedro,
Yes, /oauth/token was part of what I was asking but I hadn't realised that ORCID might have different limits for /oauth/token and /oauth/authorize.
1/ Are /oauth/authorize requests limited? If so, are the limits the same for /oauth/token? I'm assuming not, as there's no way to control when users will start authorisation.
2/ Does anyone hit these limits in real world usage, i.e., should integrators plan to be queueing the /oauth/token exchange?
2/ Does anyone hit these limits in real world usage, i.e., should integrators plan to be queueing the /oauth/token exchange?
Cheers,
Jason.
Pedro Costa
Sep 3, 2020, 4:36:19 AM9/3/20
to ORCID API Users
Hi Jason,
The limits for /oauth/token and /oauth/authorize (as well as any other UI requests) are the same -- 48 requests per second, 75 burst. Although we do have these limits in place, we don't know of anyone hitting them during authorization/token exchange. It would take a big number of users authorizing all at once to hit a rate limit on OAuth requests.
It's possible that you could hit the limits in the case of refresh tokens or token delegation, if you were requesting a big quantity of refresh tokens or exchanging a huge number of id tokens for access tokens all at once, but we're unaware of any cases where this has actually happened.
Jason
Sep 3, 2020, 5:57:45 PM9/3/20
to ORCID API Users
Thanks Pedro,
Sure. 125 logins in a second would be bad luck; it's still good to know though.
Cheers,
Jason.
Jason.
Reply all
Reply to author
Forward
0 new messages