Meraki

Community

Feature request - 429 Too many requests - per Org or per IP header

MartinS
Building a reputation
‎Dec 19 2023 4:47 AM
‎Dec 19 2023 4:47 AM

Feature request - 429 Too many requests - per Org or per IP header

Hi,

 

We're preparing for the situation where quite soon we believe we're going to start hitting the 100 requests per IP API rate limit with some of our larger partners. When that happens, we're expecting to see a 429 and we'll handle that, but it would be very useful to have an additional header which told us if the 429 relates to the 10-per-Org limit, or the 100-per-IP limit. The reason this would be useful is we have additional mitigation options if the limit being exceeded is the per IP one.

 

Best

 

Martin

---
COO
Highlight - Service Observability Platform
www.highlight.net
5 Replies 5
alemabrahao
Kind of a big deal
Kind of a big deal
‎Dec 19 2023 5:46 AM
‎Dec 19 2023 5:46 AM

Did you check this thread?

 

 

https://community.meraki.com/t5/Developers-APIs/Please-tell-me-how-to-solve-429-Too-many-requests/m-...

Purpose and importance

API call budgets define the number of API calls that an API client can make in a given amount of time and are a safeguard against runaway applications and malicious behavior. Call budgets (or rate limits) are a standard feature of high performance APIs across industries and working within the provided call budget is table stakes for any developer building an application that consumes the API. The best practice is for applications to manage API call budgets effectively and avoid making API calls in excess of the limit.

 

https://developer.cisco.com/meraki/api/#!rate-limit

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
MartinS
Building a reputation
‎Dec 19 2023 8:59 AM
‎Dec 19 2023 8:59 AM

Hi, @alemabrahao, thanks for the reply. Sorry I don't understand. I'm not sure what the relevance of that thread is to my request? Could you explain please?

 

Martin

---
COO
Highlight - Service Observability Platform
www.highlight.net
0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Dec 19 2023 9:56 AM
‎Dec 19 2023 9:56 AM

That does sound useful - but wearing a security hat, if I was Meraki I would not implement it.  This information might be useful to an attacker.

0 Kudos
In response to PhilipDAth
MartinS
Building a reputation
‎Dec 19 2023 11:36 AM
‎Dec 19 2023 11:36 AM

@PhilipDAth That's an interesting point of view. I would have thought the risk would be minimal as you need a valid API key don't you?

---
COO
Highlight - Service Observability Platform
www.highlight.net
0 Kudos
In response to MartinS
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Dec 19 2023 11:50 AM
‎Dec 19 2023 11:50 AM

I'm not sure the threat of a DOS attack is changed much by whether you have a valid API key or not (it depends on how resources are consumed), but I am just conjecturing on reasons why they might not do this.  🙂

 

In a perfect world, you would get rid of API limits.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2024 Cisco Systems, Inc.