Learn about rate limiting in our REST APIs, including usage guidelines, error handling, and best practices for developers.
Rate limiting is an essential feature in Miro's REST APIs that helps ensure the stability, security, and fair use of system resources. By controlling the number of API calls allowed within a specific time frame, rate limiting prevents overwhelming the server, protects against abuse, and ensures a smooth experience for all users.
Why rate limiting is important
-
Prevents resource exhaustion: By limiting the number of API calls, rate limiting ensures that the server's resources (CPU, memory, network bandwidth) are not exhausted by a high volume of requests, which could affect all users.
-
Improves API performance: Rate limiting prevents overloading the API, ensuring that it remains responsive even when many users access it simultaneously.
-
Mitigates abuse: Rate limiting helps prevent brute force attacks, denial of service (DoS) attacks, and other malicious activities by limiting the number of requests that can be sent from a single source.
-
Fair usage: It ensures that no single user or application can monopolize API resources, providing fair access to all users.
How rate limiting works
In our REST API, rate limiting is applied on a per-user per-application basis. This means that each user and application combination has its own quota of API calls that can be made within a defined time period.
We measure API usage in credits, where each API method consumes a different number of credits based on its complexity and resource consumption. For example, an API method that retrieves a simple data object may consume fewer credits than a method that performs a complex calculation or database query.
Rate limit tiers
The following table outlines the rate limit tiers and the cost of each API call:
Weight | Cost of one API call | Requests per minute |
---|---|---|
Level 1 | 50 credits | 2000 |
Level 2 | 100 credits | 1000 |
Level 3 | 500 credits | 200 |
Level 4 | 2000 credits | 50 |
Your application's requests to the API are evaluated per method, and currently, there is a global limit of 100,000 credits per minute.
If your app exceeds the rate limit, the API will return a 429 Too many requests
error with the following structure:
{
"status": 429,
"code": "tooManyRequests",
"message": "Request rate limit exceeded",
"context": null,
"type": "error"
}
Monitoring rate limits
Every API response contains HTTP headers that provide insight into your rate limit usage:
- X-RateLimit-Limit: The total number of credits allocated per minute.
- X-RateLimit-Remaining: The number of credits remaining in the current time window.
- X-RateLimit-Reset: The timestamp (UNIX epoch) for when the credits will be reset.
You can use these headers to monitor your app’s API usage in real-time and adjust your request frequency accordingly to avoid hitting the rate limits.
Best practices
-
Handling of 429 Errors: When your app receives a
429 Too many requests
error, implement retry logic with an appropriate backoff strategy (for example, exponential backoff) to avoid repeatedly hitting the limit. -
Monitor API usage: Use the rate limit headers to track and manage your API usage in real-time. If you're approaching the limit, consider reducing the frequency of your API calls or optimizing your requests.
-
Use batch requests when possible: If you need to make multiple API calls, consider using batch processing or combining multiple operations into a single API call when possible to reduce the overall number of requests.
-
Optimize API calls: Make sure you're only requesting the data you need. Unnecessary API calls increase the chances of hitting the rate limit.
Increasing rate limits for enterprise applications
If your application requires higher rate limits due to high traffic or complex operations, consider upgrading to the Enterprise plan. This plan offers enhanced capabilities, including higher rate limits for APIs.
For example, the Enterprise Teams API allows you to manage teams within your organization, which is particularly useful for large-scale applications. Access to these APIs requires the appropriate roles and permissions.
Temporary access to Enterprise plan
You can request temporary access to enterprise-level APIs by filling out this request form.
By adhering to these guidelines and understanding rate limiting, you can ensure that your application performs optimally while maintaining a fair and secure use of the API.