views:

36

answers:

1

I want to limit clients to an upper limit of number of calls to my REST APIs. What should I return to inform clients that they've been throttled ?

Amazon S3 is returning HTTP 503 with an error code SlowDown to inform clients.

What do you advise ?

+3  A: 

Since RFC 2616 documents status 503 as (my emphasis):

The server is currently unable to handle the request due to a temporary overloading or maintenance of the server. The implication is that this is a temporary condition which will be alleviated after some delay. If known, the length of the delay MAY be indicated in a Retry-After header.

it seems a reasonable approach, especially with a Retry-After header.

Alex Martelli
Besides HTTP 503, you can also use HTTP 421 - There are too many connections from your internet address. (But my personal favorite is HTTP 418 - I'm a teapot. :-))
Franci Penov
Twitter is returning a non standard HTTP 420
Jacques René Mesrine
RFC 2616 defines none of these 4xx's and says "The 4xx class of status code is intended for cases in which the client seems to have erred", which seems inappropriate here, where the client has done nothing wrong and it's the _server_ that's overloaded.
Alex Martelli
In Twitter's case, they have expressedly told clients that there is a 150 request per hour limit. So in a way, the client is breaking the agreement.
Jacques René Mesrine