Repeated requests to oauth2/token eventually returns 403


#1

It would appear there is some sort of undocumented rate limiting on the oauth2/token endpoint. Repeated calls to this endpoint eventually return a 403 response with error code 99 (full response example below). The timing on this felt very consistent. After what also seemed like a consistent amount of time the responses would return to successes again without any changes in the request other than the timing.

I realize that the response from that endpoint should be cached instead of continually polled for, I’ve adjusted my code for this since the errors.

So, my questions: Does the oauth2/token endpoint have any sort of rate limiting? If so, can the documentation please be updated to reflect the rate limiting in place and the error message updated to appropriately reflect what’s preventing the request?

Full response:

HTTP/1.1 403 Forbidden
cache-control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0
content-length: 105
content-type: application/json; charset=utf-8
date: Wed, 02 Oct 2013 13:42:45 GMT
expires: Tue, 31 Mar 1981 05:00:00 GMT
last-modified: Wed, 02 Oct 2013 13:42:45 GMT
pragma: no-cache
server: tfe
set-cookie: _twitter_sess=[truncated] domain=.twitter.com; path=/; secure; HttpOnly
set-cookie: guest_id=v1%3A138072136558870942; Domain=.twitter.com; Path=/; Expires=Fri, 02-Oct-2015 13:42:45 UTC
status: 403 Forbidden
strict-transport-security: max-age=631138519
vary: Accept-Encoding
x-frame-options: DENY
x-mid: 0710275958edf375e3f8d4d5becec493a4883891
x-runtime: 0.01375
x-transaction: 5610e399fdbdef33
x-ua-compatible: IE=10,chrome=1
x-xss-protection: 1; mode=block

{“errors”:[{“label”:“authenticity_token_error”,“code”:99,“message”:“Unable to verify your credentials”}]}


#2

We do have some limitations on the amount of times you can negotiate a token – it helps to discourage widely distributed client-side use cases of this form of auth. I’ve updated the documentation to reflect.


#3

Awesome, thank you very much, I see it here: https://dev.twitter.com/docs/api/1.1/post/oauth2/token

It’d also be really nice if it said “Rate Limited? Yes” for those that like to skim but I won’t press my luck :slight_smile:


#4

i’m getting the same error, what is the solution?