Rate Limiting On Access Tokens

MatthewF537
Participant

Hi,

 

I am working on an integration with Constant Contacts API on a multi-tenant system held on multiple app servers. Basically, we let them integrate their "members" on their tenants to their Constant Contact account, and depending on some conditions those members get synced to their constant contact account. We integrate their account by using V3 OAuth, storing the access token and refresh token, and using that access token to query/post to the API. So Every tenant will have their own access token going to their own account.

 

This all has been working but I have run into a problem with rate throttling because we run on multiple app servers we then have the chance of running the sync to constant contact at the same time on different app servers. I never would have thought this was an issue but I noticed whenever both servers were running the sync at the same time it was giving me a rate throttle error of "Too Many Requests". From my understanding, this error occurs when you make over 4 requests per second.

 

Now my confusion and question here are, I would think the throttle would be on the access token and not the API key that generated the access token. I'm having trouble seeing any documentation saying if the throttle is on the api key that generated the token or if they are separate so this is leading me to believe that the throttle is based on the api key that generated the access token. If this is true, is this intended? The reason I ask is we integrate on other systems using the same method and we always see the throttle on the access token, never the api key generating the access token. This way you don't end up getting throttled just because you end up with a lot of customers. At the moment I am planning on creating a single app service that will handle all the servers so only one sync will run at a time but want to avoid that if possible.

 

Am I correct in my assumption or am I possibly getting the throttle for other reasons?

 

Thanks!

1 REPLY 1
Courtney_E
Moderator

Hello MatthewF537,

 

Thank you for reaching out to Constant Contact API Developer Support. My team is here to assist outside software developers with questions about building into Constant Contact's API.

 

As with most APIs, our API has rate limits to help maintain stability and security. Our standard API keys have a rate limit of 10,000 calls per day, and 4 calls per second. Once your key has hit its limit, your calls will see this error until the next day (or the next second if going over your queries-per-second limit). Rate limits are per key.

 

429: Too Many Requests

https://v3.developer.constantcontact.com/api_guide/glossary_responses.html#429-too-many-request  

 

If you are hitting your daily rate limit when adding/updating contacts individually, you could consider using our bulk contact export and import (multipart or JSON) endpoints instead. It's a lot more efficient on your systems and ours, reducing the number of calls required to update a large list membership to 2 calls. Export the current list, Import the revised list.

 

You could also set up your application to only make synchronous refresh calls with a 1 second latency, having code execution wait for the API call to return and wait a full second before allowing another request.

 

Under our authorization management service, Constant Contact has also implemented a rate limit on the Token endpoint. A 429 response could potentially be returned if you attempt to refresh an access token before every V3 API request, so it’s recommended that you only send a refresh token request to get a new access token if your existing access token is expired or about to expire, but there are other options available based on the functionality and use of your application:

 

The new rate limit for the endpoint to acquire tokens is 1 request/second.

 

-With previous auth flows, we recommended refreshing the tokens on a timer. If your application is already set up to do this and isn’t used by multiple accounts, this should still work fine, however it can be modified and simplified. There's no longer a need to reset the timer when making a successful API call. Access token lifetime is now a static 24 hours. Timer would only need to count down the 24 hours from receiving the token.

 

-You could also set up your application to only make synchronous refresh calls with a 1 second latency, having code execution wait for the API call to return and wait a full second before allowing another token request.

 

-However, the simplest (and currently recommended method) is to just check whether your JWT access token is still valid before each request. If yes, send your request. If not, refresh the token before sending your request.

 

Our new OAuth2 flows utilize Access Tokens that are in JWT format. JSON Web Tokens (JWT) are a compact and self-contained way for securely transmitting information between parties as a JSON object. 

 

If you want to be able to parse the JWT for the expiration date/time and/or granted scopes, I'd suggest looking for a standalone JWT decoder tool or setting up a decoder within your program’s code so that it can programmatically verify the remaining lifetime of the access token before attempting to refresh.

 

[3rd party resource] JWT Decoder Tool Examples:

https://jwt.io/#debugger-io   

https://developer.pingidentity.com/en/tools/jwt-decoder.html  

 

[3rd party resource] Epoch & Unix Timestamp Conversion Tool Example:

https://www.epochconverter.com/  

 

If you want your application to parse the JWT programmatically in your program’s code (the example we currently offer in the documentation is only in Java at this time), you can find instructions online regarding how to do this in different languages. 

 

The OpenID Foundation maintains a list of libraries implementing JWT and JOSE specs, which may be a good starting point. Their list can be found here: https://openid.net/developers/jwt/  

 

[3rd party resource] Decode JWTs in C# Example:

https://developer.okta.com/blog/2019/06/26/decode-jwt-in-csharp-for-authorization  

 

If you are planning on making an application that would be available and potentially used by a large base of customers then I would suggest you look into becoming a Technology Partner with Constant Contact. There is no price involved with this and the basics are to just create and maintain your app, though there are other parts to it. Members of our partner program are given 250,000 calls per day and up to 10 calls per second. To associate your API Key with a partnership, you can look into becoming a Technology Partner: https://www.constantcontact.com/partners/technology  

 

Please have a look and let us know if you have any other questions or if your situation doesn’t match either of the solutions above by emailing us at webservices@constantcontact.com with your API Key and the details of your application that would require an increase to your call limits. 

 

Please have a look and let us know if you have any other questions!


Regards,

Courtney E.
Tier II API Support Engineer

Did I answer your question?
If so, please mark my post as an "Accepted Solution" by clicking the Accept as Solution button in the bottom right hand corner of this post.
Resources
Developer Portal

View API documentation, code samples, get your API key.

Visit Page

Announcements

API Updates

Join our list to be notified of new features and updates to our V3 API.

Sign Up