Rate limiting

Rate limiting controls the number of incoming and outgoing requests to or from a network. For example, let’s imagine you are using a particular service’s API that is configured to allow 100 requests/minute. If the number of requests you make exceeds that limit, an error is triggered.

ReachFive APIs employ safeguards against bursts of incoming traffic for each tenant to help maximize its stability. The Rate Limiter setting in the ReachFive Console allows you to change the maximum number of calls from the same IP within a defined timeframe.

When an IP reaches the limit, the server responds with 429 Too Many Requests.

Rate limiting endpoints

By default, all endpoints below allow 20 requests every 60 seconds from the same IP.

Each endpoint specifies whether you can configure the maximum number of attempts and sliding window duration.
Operation Endpoint Configurable

Retrieve access token

/oauth/token

Revoke refresh token

/oauth/revoke

Login with password

/identity/v1/password/login

Sign up new user

/identity/v1/signup

Sign up new user and return token

/identity/v1/signup-token

Request password reset

/identity/v1/forgot-password

Update password

/identity/v1/update-password

Update phone number

/identity/v1/update-phone-number

Verify phone number

/identity/v1/send-phone-number-verification

Update email

/identity/v1/update-phone-email

Verify email

/identity/v1/send-email-verification

Start passwordless flow

/identity/v1/passwordless/start

Verify passwordless

/identity/v1/passwordless/verify

Verify SMS auth code

/identity/v1/verify-auth-code

Configure rate limits

Some ReachFive API endpoints have configurable rate limits. You can configure these from your ReachFive Console.

Prerequisites

  • You must have access to the ReachFive Console.

  • You must have a Developer, Manager, or Administrator role.

Instructions

  1. Go to Settings  Security  Rate limiter.

  2. Go to your desired configurable endpoint.

  3. Set the Maximum number of attempts by entering in the value or using the up and down arrows.

  4. Set the Sliding window duration by entering in the value or using the up and down arrows.

    This is specified in seconds.

Bypass rate limit configuration

If you want, you can add IP addresses to a whitelist under Global settings. The IP addresses listed here are not subject to any rate limit from any ReachFive endpoint.

  1. Go to Settings  Security  Rate limiter.

  2. Under Global settings, list one URL per line.

  3. Don’t forget to Save your input.

    whitelist urls

IPv4 addresses

We support both standard IPv4 address format as well as IPv4 address ranges.

The syntax supports ranges of IPv4, as you can see in the following examples:

  • Using /z, the CIDR notation, you can define a range of usable addresses throughout the 4 octets: 10.0.0.0/24 will accept addresses from 10.0.0.0 to 10.0.0.255

  • Using *.*, called asterisk octet, you can wildcard a whole octet of addresses: 10.0.0.*.* will accept addresses from 10.0.0.0 to 10.0.0.255

  • Using x-y, called hyphenated octet, you can define a specific range of allowed addresses: 10.0.0.15-25 will accept addresses from 10.0.0.15 to 10.0.0.25

  • You can mix both asterisks and hyphenated patterns, as long as you respect rules below: 10.0.1-10.* will accept addresses from 10.0.1.0 to 10.0.10.255

There are specific rules to follow when using this syntax:

  • x must always be greater than y, meaning that:

    • x can only be 0 through 254

    • y can only be x+1 through 255

  • You can have only one hyphenated octet per address.

  • Only asterisks are permitted after a hyphenated octet.

IPv6 addresses

Currently, only the standard IPv6 address format such as 2001:0db8:85a3:0000:0000:8a2e:0370:7334 is supported.