Skip to content

FutureVuls API Rate Limiting#

FutureVuls has implemented API rate limiting.

Background#

Many of our customers use the FutureVuls API. However, in some cases, concentrated access from a small number of sources can affect the response time of the entire system.

To maintain stable service performance and ensure a smooth experience for all our customers, we have introduced API rate limiting.

Rate Limit Specifications#

Rate Limit Restrictions#

flowchart TD
    A[API request] --> B{IP address limit<br>exceeds 200 req/min?}
    B -- Yes --> C[429 Too Many Requests]
    B -- No --> D{API token limit<br>exceeds 20 req/min?}
    D -- Yes --> C
    D -- No --> E[Request succeeds]
  • A limit of 20 requests/minute is applied per API token.
  • A limit of 200 requests/minute is applied per IP address.

Rate limit restrictions are not strict

Neither the token nor the IP address limits are strict. The limit is applied when it is determined that "20 requests/minute" has been exceeded for a sustained period.

For example, with the token limit, you may be able to make about 30-40 requests before the rate limit is triggered.

Rate Limit Example#

Here is an example of rate limiting, assuming strict enforcement of the request limit. (Please note that in reality, the number of requests before the limit is triggered may vary.)

  • Environment:
    • IP Address: 192.0.2.1 (Global IP)
    • Token in use: Token_A
  • API Usage:
    • 30 requests sent in one minute
  • Result:
    • The first 20 requests will succeed.
    • The subsequent 10 requests (from the 21st onwards) will return an error.
  • Reason:
    • The total number of requests from the IP address (30) is under the IP limit (200).
    • However, since the number of requests from Token_A exceeded its limit (20), the excess requests are blocked.

Response When Rate Limited#

When the token-based rate limit is exceeded, the error response is as follows.

  • Status Code: 429 Too Many Requests
  • Response Header:
    • x-ratelimit-limit: 20
  • Response Body:

    {
    "error" : "You have exceeded the token-based rate limit of 20 requests per minute."
    }
    

Time Until the Rate Limit is Lifted#

Once the rate limit is triggered, it is lifted after approximately one minute. (This is not an exact time.)

How to Avoid Rate Limiting#

Here are some ways to avoid being rate-limited.

Method 1: Utilize APIs for fetching multiple items at once#

The following APIs allow you to fetch specific items in batches. By using these APIs, you can avoid making a large number of requests to fetch vulnerability or task details individually.

  • Task Comments: Batch Get Task Comments API (GET /v1/taskComments)
  • Bulk Task Update: Bulk Task Update API (PUT /v1/tasks)
    • You can specify multiple task IDs to update their statuses or priorities in bulk (up to 1,000 tasks).
  • Vulnerability Information: Get Group Set Vulnerability Information API (GET /v1/groupSet/cveVulnInfos)

Method 2: Introduce a sleep delay#

When executing API calls consecutively, you can reduce the risk of hitting the rate limit by introducing an appropriate wait time (sleep) between requests.

Implementation Example#

  • Introduce a sleep after each request to stay under the 20 requests/minute per API token and 200 requests/minute per IP address limits.
  • Add a status code check for each API response. If the status code is 429, add a delay to bring your request rate below 20 requests/minute (e.g., about 5 seconds per request).