I'm putting together a spec for a REST service, part of which will incorporate the ability to throttle users service-wide and on groups of, or on individual, resources. Equally, time-outs for these would be configurable per resource/group/service.
I'm just looking through the HTTP 1.1 spec and trying to decide how I will communicate to a client that a request will not be fulfilled because they've reached their limit.
Initially I figured that client code 403 - Forbidden was the one, but this, from the spec:
Authorization will not help and the request SHOULD NOT be repeated
bothered me.
It actually appears that 503 - Service Unavailable is a better one to use – since it allows for the communication of a retry time through the use of the Retry-After header.
It's possible that in the future I might look to support 'purchasing' more requests via eCommerce (in which case it would be nice if client code 402 - Payment Required had been finalized!) – but I figure that this could equally be squeezed into a 503 response too.
Which do you think I should use? Or is there another I've not considered?
Best Answer
429 Too Many Requests
The user has sent too many requests in a given amount of time. Intended for use with rate limiting schemes. This code has been accepted in RFC 6585 Additional HTTP Status Codes.