Rate Limits

API Request Throttling

The API implements rate limits to prevent brute force attacks on passwords, to ensure that the system load remains manageable, to avoid update rejections due to concurrent DNS updates on the same domain etc.

Rate limits apply per account and are enforced in a sliding-window fashion. For throttled requests, the server will return status 429 Too Many Requests and give a human-readable explanation in the response body, including how long to wait before making another request. The number of seconds after which the next request will be allowed is also given by the Retry-After header.

Example: If the rate is 10/min and you make a request every second, the 11th request will be rejected. You will then have to wait for 50 seconds, until the first request’s age reaches one minute. At that time, it will be dropped from the calculation, and you can make another request. One second later, and generally every time an old request’s age falls out of the counting interval, you can make another request.

The following table summarizes the rate limits pertaining to various parts of the API. When several rates are given, all are enforced at the same time.

Rate limit name

Rate

Affected operations

account_management_active

3/min

Account activities with external effects (e.g. sending email)

account_management_passive

10/min

Account activities with internal effects (e.g. viewing account details, creating a token)

dyndns

1/min

dynDNS updates (per domain).

dns_api_cheap

10/s

50/min

DNS read operations (e.g. fetching an RRset), except zonefile export

dns_api_expensive

10/s

300/min

1000/h

Domain creation/deletion, zonefile export

dns_api_per_domain_expensive

2/s

15/min

100/h

300/day

RRset creation/deletion/modification (per domain). If you require more requests, consider using bulk requests.

user

2000/day

Any activity of a) authenticated users, b) unauthenticated users (by IP)

Throttling of Other Requests

There are also rate limits in place for requests that do not get processed by the API, but are answered directly by the webserver.

Most notably, there is a rate limit of 3 requests per minute for the check IP services running at https://checkip{,v4,v6}.dedyn.io/.