All the endpoints are instrumented with rate limiting controls in place to restrict the amount of traffic from clients. This is to protect the External Assets Platform APIs from misbehaving client or denial of service attacks like a single client overloading the system by sending too many requests and disrupting other legitimate clients trying to access the External Assets Platform.

Rate limit policy

Rate limits are applied per vendor app key. Currently the rate limit thresholds are configured on a rate limit window of 60 seconds. However the rate limit window is subject to vary in the future.

Rate limit response headers

The following HTTP response headers are returned indicating the rate and threshold allowed for a client for each endpoint.

• X-RateLimit-Limit: The number of allowed requests in the current period.
• X-RateLimit-Remaining: The number of remaining requests in the current period.
• X-RateLimit-Reset: Next period reset time (ISO 8601 - Date and time in UTC)

Client Breaching rate limit thresholds

When a client breach the rate limit thresholds, they get HTTP 429 Too Many Requests responses. The client has to wait for the rate limit counter to reset on the server before being able to make successful requests.