How do API rate limits work?

We have an app that accesses the Jira Cloud REST API via OAuth 2.0 (3LO) and a customer that is hitting API rate limits for the past 3 days.

I read through the docs on rate limiting but was not clear about the following:

  1. Do the documented rate limits apply to requests made via OAuth (i.e. do the same rules apply)?
  2. Are rate limits shared among all API consumers?
  3. Is it possible to increase the rate limits for certain customers/instances?

If no. 2 is true, how do we know that it is not another app that is using up the rate limit?

Also, unfortunately, in our case, none of the 429 errors do include a Retry-After header.

At the moment this is a bit of a black-box for us and I would like to get some more insights into this before we jump to conclusions.

2 Likes

Hi @tbinna,

Jira’s rate limiting implementation is optimised towards getting the most value out of Atlassian’s server resources whilst protecting the user experience, but it not “app friendly” because it doesn’t provide apps with any certainty about limits and, as you point out, doesn’t necessarily return a Retry-After header with 429 responses. The Jira team are currently making some improvements to this, but here are responses to your questions as per the current implementation:

  1. OAuth REST API requests are subject to the same rules.
  2. Rate limits are shared across users and apps. The implementation does not have the concept of quotas per user or consumer. As such, there is no way to determine that another app or user is straining the API and causing the rate limits.
  3. The implementation is configurable, but only by SREs to keep everything running. There’s no ability for a customer to modify their rate limit settings.

Regards,
Dugald

2 Likes

Thank you @dmorrow, that’s great information and helps us to move forward.

1 Like