Suggested HTTP REST status code for 'request limit reached'

Question

I'm putting together a spec for a REST service, part of which will incorporate the ability to throttle users service-wide and on groups of, or on individual, resources. Equally, time-outs for these would be configurable per resource/group/service.

I'm just looking through the HTTP 1.1 spec and trying to decide how I will communicate to a client that a request will not be fulfilled because they've reached their limit.

Initially I figured that client code 403 - Forbidden was the one, but this, from the spec:

Authorization will not help and the request SHOULD NOT be repeated

bothered me.

It actually appears that 503 - Service Unavailable is a better one to use - since it allows for the communication of a retry time through the use of the Retry-After header.

It's possible that in the future I might look to support 'purchasing' more requests via eCommerce (in which case it would be nice if client code 402 - Payment Required had been finalized!) - but I figure that this could equally be squeezed into a 503 response too.

Which do you think I should use? Or is there another I've not considered?

score 82 · Accepted Answer · edited Oct 07 '21 at 06:47

82

429 Too Many Requests

The user has sent too many requests in a given amount of time. Intended for use with rate limiting schemes. This code has been accepted in RFC 6585 Additional HTTP Status Codes.

   The 429 status code indicates that the user has sent too many
   requests in a given amount of time ("rate limiting").

   The response representations SHOULD include details explaining the
   condition, and MAY include a Retry-After header indicating how long
   to wait before making a new request...

   Note that this specification does not define how the origin server
   identifies the user, nor how it counts requests.  For example, an
   origin server that is limiting request rates can do so based upon
   counts of requests on a per-resource basis, across the entire server,
   or even among a set of servers.  Likewise, it might identify the user
   by its authentication credentials, or a stateful cookie.

   Responses with the 429 status code MUST NOT be stored by a cache...

edited Oct 07 '21 at 06:47

Community

1

answered Jan 05 '12 at 16:22

Sean McMillan

5,075
25
26

Sounds awesome - I'll keep it in mind! Does it come with free cats? Or are they an extension to the protocol? – Andras Zoltan Jan 06 '12 at 09:50
3

HTTP Status cats -- for all your status needs: http://www.flickr.com/photos/girliemac/sets/72157628409467125/ – Sean McMillan Jan 09 '12 at 13:21
1

that has just gone round the office to much laughter and applause - genius! – Andras Zoltan Jan 09 '12 at 14:33
I went with a 429 in the end - it's in the draft spec but I seriously doubt it'll end up being used for anything else. – Andras Zoltan Oct 30 '12 at 21:55

Marcin · Answer 2 · 2016-04-14T13:24:03.853

7

To an extent, you're free to do what you like with the codes, but I would agree that you can use 503, or if you want 402, without anyone being able to complain that you are breaking things.

Edit: A purist might say that you should start with 503, then switch once it's possible to make payments.

An excellent addition to this in the comments:

A 4xx indicates an error by the client that can be fixed by them taking a certain action, whereas a 5xx indicates a problem on the server that the client can't help resolve. So in your case, a 4xx is more appropriate, because the (i) the server is behaving exactly as it should, and (ii) the client can "fix" the error by either slowing down or purchasing more credits. The exact resolution can be indicated in the body of the 429 response. – Mike Chamberlain 7 hours ago

edited Apr 14 '16 at 13:24

answered Jan 05 '12 at 11:48

Marcin

498
4
12

503! 503! 503! Reached the limit, the next call is forbiden. Plain and simple... – yannis Jan 05 '12 at 12:10
@YannisRizos: Ah, but it's not forbidden once the payment has been made! – Marcin Jan 05 '12 at 12:13
1

The error code represents the result of the single request. If the payment was made, then on a subsequent request it's business as usual... If you document the behaviour, it's fine by me. Or you could just return 200, with an error message. But that's not pretty. Although some might say using HTTP error codes for business logic is not pretty. Ah well, I'd personally go with 503, service is not available at this moment - until of course 402 is commonly supported. – yannis Jan 05 '12 at 12:21
@YannisRizos (& Marcin) - thanks for your comments - I figured 503 was the best one to go with; whilst also understanding that implementations of a RESTful nature can often fall foul of being woolly when it comes to their use of HTTP status codes. My personal viewpoint on this is to use what the protocol provides unless it doesn't fit (which is actually very rare). In this case, it definitely does! – Andras Zoltan Jan 05 '12 at 12:38
6

A 4xx indicates an error by the client that can be fixed by them taking a certain action, whereas a 5xx indicates a problem on the server that the client can't help resolve. So in your case, a 4xx is more appropriate, because the (i) the server is behaving exactly as it should, and (ii) the client can "fix" the error by either slowing down or purchasing more credits. The exact resolution can be indicated in the body of the 429 response. – Mike Chamberlain Apr 14 '16 at 05:46
@MikeChamberlain I've quoted you wholesale in the body of the answer. – Marcin Apr 14 '16 at 13:24

Suggested HTTP REST status code for 'request limit reached'

2 Answers2

429 Too Many Requests