Bird
Raised Fist0
Rest APIprogramming~5 mins

Rate limit error responses in Rest API

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Introduction

Rate limit error responses tell users when they have sent too many requests in a short time. This helps keep the service fair and working well for everyone.

When you want to stop a user from sending too many requests quickly.
To protect your server from overload or abuse.
To make sure all users get a fair chance to use the service.
When your API has limits on how many requests can be made per minute or hour.
To inform users politely that they need to wait before trying again.
Syntax
Rest API
HTTP/1.1 429 Too Many Requests
Content-Type: application/json
Retry-After: <seconds>

{
  "error": "Rate limit exceeded",
  "message": "You have sent too many requests. Please wait before retrying."
}

The status code 429 means "Too Many Requests".

The Retry-After header tells the client how many seconds to wait before trying again.

Examples
This response tells the user to wait 60 seconds before sending more requests.
Rest API
HTTP/1.1 429 Too Many Requests
Content-Type: application/json
Retry-After: 60

{
  "error": "Rate limit exceeded",
  "message": "Try again in 60 seconds."
}
This response does not include Retry-After, so the client decides when to retry.
Rest API
HTTP/1.1 429 Too Many Requests
Content-Type: application/json

{
  "error": "Rate limit exceeded",
  "message": "Please slow down your requests."
}
Sample Program

This small web server limits each user to 3 requests every 10 seconds. If the user sends too many requests, it returns a 429 error with a message and tells how many seconds to wait.

Rest API
from flask import Flask, request, jsonify
import time

app = Flask(__name__)

# Simple rate limit: max 3 requests per 10 seconds per IP
requests_log = {}

@app.route('/data')
def data():
    ip = request.remote_addr
    now = time.time()
    window = 10
    max_requests = 3

    # Clean old requests
    requests_log.setdefault(ip, [])
    requests_log[ip] = [t for t in requests_log[ip] if now - t < window]

    if len(requests_log[ip]) >= max_requests:
        retry_after = window - (now - requests_log[ip][0])
        response = jsonify({
            "error": "Rate limit exceeded",
            "message": f"Try again in {int(retry_after)} seconds."
        })
        response.status_code = 429
        response.headers['Retry-After'] = str(int(retry_after))
        return response

    requests_log[ip].append(now)
    return jsonify({"data": "Here is your data!"})

if __name__ == '__main__':
    app.run(debug=True)
OutputSuccess
Important Notes

Always include the Retry-After header if you want clients to know when to try again.

Use status code 429 specifically for rate limiting errors.

Be clear and polite in your error messages to help users understand what happened.

Summary

Rate limit errors use HTTP status 429 to tell users they sent too many requests.

The Retry-After header helps clients know when to retry.

Clear messages improve user experience and reduce confusion.

Practice

(1/5)
1. What HTTP status code is commonly used to indicate a rate limit error in REST APIs?
easy
A. 404
B. 429
C. 500
D. 401

Solution

  1. Step 1: Understand HTTP status codes for errors

    HTTP status codes in the 400 range indicate client errors. Among them, 429 specifically means too many requests.

  2. Step 2: Identify the code for rate limiting

    The 429 status code is defined to signal that the user has sent too many requests in a given time.

  3. Final Answer:

    429 -> Option B

  4. Quick Check:

    Rate limit error = 429 [OK]
Hint: Remember 429 means too many requests, a rate limit error [OK]
Common Mistakes:
  • Confusing 429 with 404 (not found)
  • Using 500 which is server error
  • Choosing 401 which means unauthorized
2. Which HTTP header is used to tell the client when to retry after hitting a rate limit?
easy
A. Retry-After
B. Authorization
C. Content-Type
D. User-Agent

Solution

  1. Step 1: Identify headers related to retry timing

    The Retry-After header is designed to tell clients how long to wait before retrying a request.

  2. Step 2: Confirm the correct header for rate limit retry

    Other headers like Content-Type or Authorization do not indicate retry timing.

  3. Final Answer:

    Retry-After -> Option A

  4. Quick Check:

    Retry timing header = Retry-After [OK]
Hint: Retry-After header tells when to retry after rate limit [OK]
Common Mistakes:
  • Choosing Content-Type which describes data format
  • Confusing Authorization with retry info
  • Selecting User-Agent which identifies client software
3. What will the following HTTP response indicate? 
HTTP/1.1 429 Too Many Requests
Retry-After: 120
Content-Type: application/json

{"error": "Rate limit exceeded. Try again later."}
medium
A. The client should retry immediately
B. The client is unauthorized
C. The server encountered an internal error
D. The client sent too many requests and should wait 120 seconds before retrying

Solution

  1. Step 1: Analyze the status code and headers

    Status 429 means too many requests. The Retry-After header with value 120 means wait 120 seconds before retrying.

  2. Step 2: Interpret the JSON error message

    The message confirms the rate limit was exceeded and advises to try again later.

  3. Final Answer:

    The client sent too many requests and should wait 120 seconds before retrying -> Option D

  4. Quick Check:

    429 + Retry-After = wait before retry [OK]
Hint: 429 plus Retry-After means wait specified seconds before retry [OK]
Common Mistakes:
  • Thinking client can retry immediately
  • Confusing 429 with unauthorized error
  • Assuming server error from 429
4. A REST API returns this response when rate limit is exceeded: 
HTTP/1.1 429 Too Many Requests
Content-Type: application/json

{"error": "Too many requests"}
What is missing to improve client handling?
medium
A. A Retry-After header indicating when to retry
B. Changing status code to 500
C. Adding Authorization header
D. Removing the error message

Solution

  1. Step 1: Identify missing headers for rate limit response

    The response lacks the Retry-After header, which helps clients know when to retry.

  2. Step 2: Understand why Retry-After is important

    Without Retry-After, clients may retry too soon, causing more errors or confusion.

  3. Final Answer:

    A Retry-After header indicating when to retry -> Option A

  4. Quick Check:

    Retry-After header missing = add it [OK]
Hint: Add Retry-After header to guide client retry timing [OK]
Common Mistakes:
  • Changing status code to 500 which is wrong
  • Adding Authorization header unrelated to rate limit
  • Removing error message reduces clarity
5. You want to design a REST API rate limit error response that clearly informs clients about the wait time and reason. Which of the following is the best practice?
hard
A. Return status 200 with a JSON error field indicating rate limit
B. Return status 403 with a plain text message 'Rate limit exceeded'
C. Return status 429 with a Retry-After header and a JSON message explaining the limit
D. Return status 500 with a Retry-After header

Solution

  1. Step 1: Choose correct status code for rate limiting

    Status 429 is the standard code for rate limit errors, signaling client to slow down.

  2. Step 2: Include Retry-After header and clear message

    Retry-After header tells client how long to wait. JSON message improves clarity and user experience.

  3. Step 3: Evaluate other options

    403 is forbidden, not rate limit. 200 means success, which is misleading. 500 is server error, not client rate limit.

  4. Final Answer:

    Return status 429 with a Retry-After header and a JSON message explaining the limit -> Option C

  5. Quick Check:

    429 + Retry-After + clear message = best practice [OK]
Hint: Use 429 + Retry-After + clear JSON message for best rate limit response [OK]
Common Mistakes:
  • Using wrong status codes like 403 or 500
  • Returning 200 status for errors
  • Omitting Retry-After header