API Security: New Rate Limiting Policy

by Ryan Scott

In early March, we will be adding a new rate-limiting policy for the DNA APIs. This upgrade is to ensure site availability and security in support of all of our customers and partners.

While we do not publish a rate-limiting policy, we might temporarily rate limit if we identify traffic that appears to be abusive. We rate limit until we are confident that the activity is not problematic for DNA Behavior, our partners, or our customers.

To ensure maximum protection for the site, we constantly evaluate traffic as it surges and subsides to adjust our policies. If you or your customers receive the HTTP 429 Unprocessable Entity – RATE_LIMIT_REACHED status code, which indicates too many requests and might indicate anomalous traffic, we rate limit to ensure site stability.

Limits:

Depending on the API endpoint, the request limit and the rate limit window in which the request limit resets vary.

Each endpoint is configured with a bucket that defines the following:

• the request limit, and
• the rate limit window (per second, per minute, per hour, and so on)

If your firm has specific requirements or standards for API requests, the above items can be configured on a per-account basis. Contact your account representative to discuss this.

Exceeding the Rate Limit:

If you exceed the provided rate limit for a given API endpoint, you will receive a response with HTTP Status Code 429 (Too Many Requests). You can refer to the HTTP Response Headers for more information on the rate limits applicable to that endpoint.

Actions such as rapidly updating configuration settings, aggressive polling, or making highly concurrent API calls may result in your app being rate limited.

If your app triggers the rate limit, please refrain from making additional requests until the appropriate amount of time has elapsed.