Rate Limiting

Atlantic ID API rate limit politikaları ve best practices.

Rate Limit Değerleri

Authentication Endpoints

POST /oauth/authorize  → 100 requests/minute per IP
POST /oauth/token      → 50 requests/minute per client_id
GET  /oauth/userinfo   → 200 requests/minute per access_token

Other Endpoints

GET  /.well-known/openid-configuration  → 1000 requests/minute per IP
GET  /oauth/jwks                        → 1000 requests/minute per IP
POST /oauth/revoke                      → 50 requests/minute per client_id

Response Headers

Rate limit bilgileri her response'da döner:

HTTP/1.1 200 OK
X-RateLimit-Limit: 100
X-RateLimit-Remaining: 87
X-RateLimit-Reset: 1735686060

Header	Açıklama
`X-RateLimit-Limit`	Maksimum istek sayısı
`X-RateLimit-Remaining`	Kalan istek hakkı
`X-RateLimit-Reset`	Reset zamanı (Unix timestamp)

429 Too Many Requests

Rate limit aşıldığında:

HTTP/1.1 429 Too Many Requests
Content-Type: application/json
Retry-After: 45
X-RateLimit-Limit: 100
X-RateLimit-Remaining: 0
X-RateLimit-Reset: 1735686045

{
  "error": "rate_limit_exceeded",
  "error_description": "Too many requests. Try again in 45 seconds."
}

Handling Rate Limits

Exponential Backoff

async function fetchWithRetry(url, options, maxRetries = 3) {
  for (let i = 0; i < maxRetries; i++) {
    const response = await fetch(url, options);

    if (response.status === 429) {
      const retryAfter = response.headers.get('Retry-After') || Math.pow(2, i);
      await new Promise(resolve => setTimeout(resolve, retryAfter * 1000));
      continue;
    }

    return response;
  }
  throw new Error('Max retries exceeded');
}

Rate Limit Aware Client

class RateLimitedClient {
  constructor() {
    this.remaining = null;
    this.resetAt = null;
  }

  async request(url, options) {
    // Check if we need to wait
    if (this.remaining === 0 && Date.now() < this.resetAt) {
      const waitTime = this.resetAt - Date.now();
      await new Promise(resolve => setTimeout(resolve, waitTime));
    }

    const response = await fetch(url, options);

    // Update rate limit state
    this.remaining = parseInt(response.headers.get('X-RateLimit-Remaining'));
    this.resetAt = parseInt(response.headers.get('X-RateLimit-Reset')) * 1000;

    return response;
  }
}

Best Practices

✅ Do

Cache responses - JWKS, discovery metadata
Implement backoff - Exponential backoff on 429
Monitor headers - Track remaining quota
Batch operations - Group related requests
Use refresh tokens - Don't re-authenticate unnecessarily

❌ Don't

Ignore 429 - Bu permanent failure değil
Aggressive polling - Long polling yerine webhook kullanın
Unnecessary requests - Cache'lenebilir dataları tekrar istemeyin

Monitoring

// Track rate limit usage
const rateLimitMetrics = {
  hits: 0,
  remaining: null,

  record(response) {
    this.hits++;
    this.remaining = response.headers.get('X-RateLimit-Remaining');

    if (this.remaining < 10) {
      console.warn('Rate limit warning: Only', this.remaining, 'requests left');
    }
  }
};

Quota Artırma

Yüksek trafiğiniz mi var?

📧 developers@codeatlantis.com
Production client'lar için özel quota

İlgili: Error Handling, Security