REST API Rate Limiting / Throttling - clarification needed

Go to solution
miriamberge
Tera Guru

‎08-21-2020 12:52 PM

Referencing this page:

https://docs.servicenow.com/bundle/orlando-application-development/page/integrate/inbound-rest/conce...

To clarify:

1. If I don't create a rate limit for every api/method, what is the default value and where do I find that?  Is it unlimited?  I didn't see a property for that.

2. If I have an api with security set up for only certain roles to use and I create a rate limit of 110 for that api and specify "users with role" and role is "incident_api_role1" - my understanding is that i could have 5 users with that role and between the 5 of them they can only send 110 requests before they get a message saying they exceed the rate limit, correct?  If I had incident_api_role2 that has access to that same api but did not create a rate limit for that role specifically, would incident_api_role2 be able to send unlimited requests?  

Edited to add: if you were paranoid, could you add a rate limit of 0 for the api and specify "All users", knowing that the "users with role" rate limit would override that - effectively only allowing incident_api_role1 to send requests and sending a limit exceeded error to incident_api_role2 if they even tried?  (Security is controlled through access controls and/or rest endpoint acl, but I'm just curious if that might be another safeguard to put in place).

Thanks!

 

0 Helpfuls
  • 11,462 Views
1 ACCEPTED SOLUTION

Go to solution
Willem
Giga Sage
Giga Sage

‎08-22-2020 05:32 AM

1. Did a test with an API that does not have Rate limit set up. It does not show any of the X-RateLimit information:

From the Docs:

find_real_file.png

 

From the test call:

find_real_file.png

 

2. It is registered per user. Not explicitly mentioned in the article but here are some lines hinting at it:

"You can create rules to limit requests for specific users, users with specific roles, or all users."

"each node maintains a rate limit count per user. "

 

Also if we look at the example, the setup is set to 3 Requests. The text tells Each user with import_admin role can submit up to three requests per hour.

find_real_file.png

 

 

As for the bonus one. As you said there are ACL's securing this. ServiceNow has a lot of documentation you can request as a (paranoid) customer and they will gladly provide you with documents showing the extend of their security ????

 

Hope this helped. Let me know if you have any more questions.

View solution in original post

Preview file
57 KB
Preview file
70 KB
Preview file
16 KB
5 REPLIES 5

Go to solution
Sudhanshu Talw1
Tera Guru

‎08-22-2020 05:54 AM

 As requests reach an instance, each node maintains a rate limit count per user.

Every 30 seconds, the count is committed to the database. As a result, a rate limit rule may not take effect for up to 30 seconds.

https://docs.servicenow.com/bundle/madrid-application-development/page/integrate/inbound-rest/task/c...

 

Thanks

Sudhanshu

0 Helpfuls