REST API Rate Limiting / Throttling - clarification needed

miriamberge · ‎08-21-2020

Referencing this page:

https://docs.servicenow.com/bundle/orlando-application-development/page/integrate/inbound-rest/conce...

To clarify:

1. If I don't create a rate limit for every api/method, what is the default value and where do I find that? Is it unlimited? I didn't see a property for that.

2. If I have an api with security set up for only certain roles to use and I create a rate limit of 110 for that api and specify "users with role" and role is "incident_api_role1" - my understanding is that i could have 5 users with that role and between the 5 of them they can only send 110 requests before they get a message saying they exceed the rate limit, correct? If I had incident_api_role2 that has access to that same api but did not create a rate limit for that role specifically, would incident_api_role2 be able to send unlimited requests?

Edited to add: if you were paranoid, could you add a rate limit of 0 for the api and specify "All users", knowing that the "users with role" rate limit would override that - effectively only allowing incident_api_role1 to send requests and sending a limit exceeded error to incident_api_role2 if they even tried? (Security is controlled through access controls and/or rest endpoint acl, but I'm just curious if that might be another safeguard to put in place).

Thanks!

Willem · ‎08-22-2020

1. Did a test with an API that does not have Rate limit set up. It does not show any of the X-RateLimit information:

From the Docs:

From the test call:

2. It is registered per user. Not explicitly mentioned in the article but here are some lines hinting at it:

"You can create rules to limit requests for specific users, users with specific roles, or all users."

"each node maintains a rate limit count per user. "

Also if we look at the example, the setup is set to 3 Requests. The text tells Each user with import_admin role can submit up to three requests per hour.

As for the bonus one. As you said there are ACL's securing this. ServiceNow has a lot of documentation you can request as a (paranoid) customer and they will gladly provide you with documents showing the extend of their security ????

Hope this helped. Let me know if you have any more questions.

View solution in original post

Willem · ‎08-22-2020

1. Did a test with an API that does not have Rate limit set up. It does not show any of the X-RateLimit information:

From the Docs:

From the test call:

2. It is registered per user. Not explicitly mentioned in the article but here are some lines hinting at it:

"You can create rules to limit requests for specific users, users with specific roles, or all users."

"each node maintains a rate limit count per user. "

Also if we look at the example, the setup is set to 3 Requests. The text tells Each user with import_admin role can submit up to three requests per hour.

As for the bonus one. As you said there are ACL's securing this. ServiceNow has a lot of documentation you can request as a (paranoid) customer and they will gladly provide you with documents showing the extend of their security ????

Hope this helped. Let me know if you have any more questions.

miriamberge · ‎08-22-2020

Thanks for providing some additional clarification. I took my cue from above and tested out with two different users. I think I was just overthinking this. 😄

After testing out myself, I see you can't actually create a rate limit of 0 (in terms of my pondering the all users / extra safeguard comment in original post).

The concern expressed from some team members is, if you don't specify a rate limit and one of the business areas using the rest api starts hitting SN hard with requests... how do you ensure that you're not causing a performance issue... I was curious if at some point SN caps things off... sounds like I may have to reach out to SN in order to answer that question.

Thanks again for the help!

Willem · ‎08-22-2020

You are very welcome! Can you mark the answer as Correct and helpful? That way the thread is closed and others can find the answers as well.

GoBucks · ‎12-06-2024

@miriambergeI had the same question. Without any rate limit rule created for a custom API, is there a platform limit where SN caps things off? Did you ever reach out to SN to find out the answer? I'd be curious to know what the answer is. 🙂

Thanks!