Rate limits and letting people login

Consider the following work flow.

I have a chat with, say, on a good day 10k people present.

We run something, that requires users to visit a website and login.

A normal user authentication flow, results in me being passed back a packet containing the access_token, refresh_token, scope, and expires time. BUT NOT THE USER ID

This means I can make requests to helix using an access_token and thus means I get 120 as my rate limit.

I then use the access token to a call to https://api.twitch.tv/helix/users with the header Authorization': 'Bearer SOMETOKEN' in order to recover the user’s ID. (only thing I need in this example)

Under this and dropping the link into chat,120 people logged in and I collect their user_id (only way to get their userID is to make a helix call), the 121st person (and beyond), resulted in a 429 (crashed my app as my non 200 code was derped but thats unrelated to this post).


Under the current rate limit solution, I can only allow 120 people to login during one ratelimit time period.

Logically, I would expect ratelimiting to be done by ClientID/AuthToken Pair (maybe IP also) rather than ClientID/IP Pair? So I could do 120 requests for the authenticated user rather than 120 requests for my app? (Under this method you could also offer a lower rate limit to prevent abuse if done by ID/Token pair instead)

Yes I could ask for a higher rate limit, but I don’t think this is the answer for this example use case, as it will affect anyone and everyone whom is doing Login With Twitch?

Further more I can see it becoming a problem for larger bot users with one clientID and one IP trying to perform data lookups for 120+ channels.


The issue is compounded when you consider “If You Use Twitch for Login to Your App, You Must Validate Every Request”

Possible solution:

Duplicate https://api.twitch.tv/kraken/ on https://api.twitch.tv/helix/ and make https://api.twitch.tv/helix/ be rate limit free?

I am facing the same problem, as soon as users have to login, and you have to make requests in their regard. E.q. if you provide a service for a lot of twitch users then the 120 calls limit is getting problematic rather soon.

An custom rate limit for authenticated requests (e.q. via bearer token would be great), then this limit could be lower and it would make it easier for developers, at the moment you have to provide a worse user experience than necessary, and it is sometimes hard to guess how fast your app will grow in these cases so it is not always feasible to request an rate limit increase beforehand.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.