Third Party Rate Limits from CF Worker


I’m using a CF Worker to make batch UPDATE requests to a third party API using fetch along with Promise.all

The third party API endpoint has a rate limit of 60 requests/minute. Rate limit info is returned on each request with headers X-RateLimit-Remaining and X-RateLimit-Limit

The third party endpoint requires an access token to be sent along with the request, but I’m assuming that rate limiting is based on IP address (of the worker in this case).

Which leads to my question - if I have multiple users of my (small) app all making batch requests, I would quickly run into rate limit errors if 2 users (or even 1) send a that batch request.

My questions:

  1. How will the third party API receive requests from my CF workers if two users send at same time? Will it depend on region used? Should I assume the requests will come from same IP or different IP address?

  2. How should I think about limiting how many requests are allowed per batch, given the third party rate limit of 60 requests/minute? I was hoping to do 100 concurrent requests but that obviously won’t work now. Maybe 10?

  3. How do large production apps handle integrations with third parties like this? Do they get higher rate limits for their servers?

I was hoping to give my users an button to “Update All” but I am instead forced to rework the UI/UX to allow the user to check off 10 items max and then click an “Update these 10 items” button. Something like that.

Thank you!

If the third party uses Cloudflare, the IP observed will remain static as 2a06:98c0:3600::103.
If the third party does not use Cloudflare, it will be any one of these ips - they are typically assigned to specific region datacenters, some may be reused if the users are reaching the same datacenter.

10 would make sense. You could also queue them: Batching, Retries and Delays · Cloudflare Queues

As a sidenote if you want to rate limit your own users, there is a Workers API for that: Rate Limiting · Cloudflare Workers docs

Ordinarily the third party API would be convinced of the consequences of rate limiting based on IP when Workrs are involved, and they would implement their rate limits based on either their own API token and not the IP, or based on the cf-worker header if the request comes from a Worker as this populates the upstream zone of the customer whose Worker is sending the request: Cloudflare HTTP request headers · Cloudflare Fundamentals docs

Then if those limits are not sufficient, you can request that the third party raise those limits or adjust criteria to better suit your use-case.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.