Installation and Integration access tokens, rate limits?


#1

According to the docs there is a rate limit of 5000 requests/hour per integration.

Installation access tokens seem to be limited to 60 requests/hour:

{
    'documentation_url': 'https://developer.github.com/v3/#rate-limiting', 
    'message': 'API rate limit exceeded for installation:1234.'
}
{
    'x-ratelimit-limit': '60', 
    'x-ratelimit-remaining': '0',
}

Quoting the docs:

Most of the useful work is done by authenticating as an Installation.

But how am I supposed to do that with 60 requests/hour? Maybe I’m missing something obvious, could you clarify?


#2

Installation tokens are valid for an hour. You want to cache them until they expire or until you no longer need them. Also note that the rate limit is per installation, not per integration.

Hope this helps,

–tobie


#3

Hi @jayfk, that’s strange - installations currently have a higher rate limit (5000 req/hour) for most requests. Could you please provide the full output of a curl -v request which triggers this problem. Just make sure you mask any OAuth tokens in the output of curl -v. Thanks!


#4

This seems to have something to do with this integration in particular.

Calling /installation/repositories with the “good” integration

curl -H 'Authorization: token TOKEN' -H 'Accept: application/vnd.github.machine-man-preview' -v https://api.github.com/installation/repositories

yields

*   Trying 192.30.253.116...
* TCP_NODELAY set
* Connected to api.github.com (192.30.253.116) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate: *.github.com
* Server certificate: DigiCert SHA2 High Assurance Server CA
* Server certificate: DigiCert High Assurance EV Root CA
> GET /installation/repositories HTTP/1.1
> Host: api.github.com
> User-Agent: curl/7.51.0
> Authorization: token TOKEN
> Accept: application/vnd.github.machine-man-preview
>
< HTTP/1.1 200 OK
< Server: GitHub.com
< Date: Fri, 17 Feb 2017 10:39:44 GMT
< Content-Type: application/json; charset=utf-8
< Content-Length: 5264
< Status: 200 OK
< X-RateLimit-Limit: 5000
< X-RateLimit-Remaining: 4987
< X-RateLimit-Reset: 1487329700
< Cache-Control: private, max-age=60, s-maxage=60
< Vary: Accept, Authorization, Cookie, X-GitHub-OTP
< ETag: "e17189513d9411189b1db7090c94cfb8"
< X-GitHub-Media-Type: github.machine-man-preview
< Access-Control-Expose-Headers: ETag, Link, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval
< Access-Control-Allow-Origin: *
< Content-Security-Policy: default-src 'none'
< Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
< X-Content-Type-Options: nosniff
< X-Frame-Options: deny
< X-XSS-Protection: 1; mode=block
< Vary: Accept-Encoding
< X-Served-By: 8dd185e423974a7e13abbbe6e060031e
< X-GitHub-Request-Id: C466:2E6EE:8E08E1:B71B02:58A6D2EF
<
{
  "total_count": 1,
  "repositories": [
       ...
  ]
}
* Curl_http_done: called premature == 0
* Connection #0 to host api.github.com left intact

which looks fine.

Calling the same endpoint with the borked integration:

curl -H 'Authorization: token TOKEN' -H 'Accept: application/vnd.github.machine-man-preview' -v https://api.github.com/installation/repositories

yields

*   Trying 192.30.253.117...
* TCP_NODELAY set
* Connected to api.github.com (192.30.253.117) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate: *.github.com
* Server certificate: DigiCert SHA2 High Assurance Server CA
* Server certificate: DigiCert High Assurance EV Root CA
> GET /installation/repositories HTTP/1.1
> Host: api.github.com
> User-Agent: curl/7.51.0
> Authorization: token TOKEN
> Accept: application/vnd.github.machine-man-preview
>
< HTTP/1.1 403 Forbidden
< Server: GitHub.com
< Date: Fri, 17 Feb 2017 10:51:09 GMT
< Content-Type: application/json; charset=utf-8
< Content-Length: 139
< Status: 403 Forbidden
< X-RateLimit-Limit: 60
< X-RateLimit-Remaining: 0
< X-RateLimit-Reset: 1487330382
< X-GitHub-Media-Type: github.machine-man-preview
< Access-Control-Expose-Headers: ETag, Link, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval
< Access-Control-Allow-Origin: *
< Content-Security-Policy: default-src 'none'
< Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
< X-Content-Type-Options: nosniff
< X-Frame-Options: deny
< X-XSS-Protection: 1; mode=block
< X-GitHub-Request-Id: C7A9:2E6EC:8C9950:B4DFB1:58A6D59D
<
{
  "message": "API rate limit exceeded for installation:INSTALLATION.",
  "documentation_url": "https://developer.github.com/v3/#rate-limiting"
}
* Curl_http_done: called premature == 0
* Connection #0 to host api.github.com left intact

@keavy I’m sending you the installation IDs via PM in case they help.


#5

Hi @jayfk, thanks for the details to investigate this further. That “borked” integration had been flagged as possible spam and that was the reason for the restricted rate limit. That’s been cleared now, so you should be good to go. We’ll look into making the reason more obvious, for you and us!


#6

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.


API randomly returning 401 Bad Credentials