Skip to content

I suggest you ...

← General

fix API v3 rate limiting which claims to be per API key

The API v3 rate limiting documentation (https://haveibeenpwned.com/API/v3#RateLimiting) initially claims that the API is rate-limited on a per-API key basis. Reading the fine print, it indicates that the rate limit is actually applied to the IP address. This disconnect leads to immense challenges in working with the API at scale. For example, I bought 7 API key licenses today so that I could work through a very large data set more quickly. However, all of my API keys are working from the same source IP address. So every time your API gets busy, you start blocking me by my IP address. With seven API keys all trying to do work, this invariably leads pretty quickly to a condition in which all of them are being told to Retry repeatedly. I'm currently waiting 2 seconds between my initial requests. And I'm tripling your "retry-after" suggestion before trying again. Doesn't matter. It always ends up with the same congestion. Whether by offering a "premium" tier or by letting me actually use the API keys that I've already paid for, I really need some help to make this thing scale.

3 votes
Vote

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close
You have left! (?) (thinking…)
Justin Lute shared this idea  ·   ·  Report…  ·  Admin →
declined  ·  AdminTroy Hunt (CEO / Founder, Have I Been Pwned) responded  · 

The API is rate limited per key at the Azure API Management level. There are no rate limits per IP address. Usually when I hear a report like this, it’s because someone is inadvertently making too many requests so I’d normally suggest changing the API key (you can do that on the page you registered on), then testing the new key totally independently of your code, for example in Postman.

Closing this “idea” as it’s not an idea, contact me directly if you still have problems: https://www.troyhunt.com/contact/

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Justin Lute commented  ·   ·  Report

    Thanks for the response, Troy. FYI, your documentation implies that even if it was your _API Key_ that was found to be violating the rate limit, it's your _IP address_ which will be denied access:

    "...from any given HIBP API key... response header expressing the number of seconds remaining before the IP address can make a successful API call..."

General

Categories

Feedback and Knowledge Base

(thinking…)