Version 1.1. Rate Limiting Clarification


I was wondering if I could get a clarification on the Rate Limiting in API 1.1. Specifically: Is the rate limit imposed on the user of the web application or the web application itself? For example, suppose one user running my web application uses 5 instances of followers/ids and 4 users run my web application within the rate limit window. Would my application hit the rate limit (5*4 = 20 which is more than the 15 limit) or would it be fine (each user uses 5 which is less than the 15 limit)?

Also, are the limits per API element or grouped together. For example, if a user uses 8 instances of followers/ids (limit 15) and 8 instances of friends/ids (limit 15), did they hit the limit (8 + 8 = 16, more than 15) or are they fine (each API element under the 15 limit)?

Thanks for any help and guidance you can provide.


API v1.1 rate limits are per access token-application combination per rate limit window. Activity occurring on one access token does not effect the capabilities of other access tokens.


Thanks. I was hoping it was that way.

Are rate limits also separated out based on the API element being called? For example, calls to friends/ids won’t affect how many calls to followers/ids the application can make?


Correct, each GET-based method has its own rate limit per every fifteen minutes: [alias:/docs/rate-limiting/1.1/limits, title=“table of limits”].


Hey @episod, I wish you can help with the following issue which should not stand according to your answers of this thread, but I can’t get it to work.

I will enumerate all the steps of an user session of my website, so hopefully you can understand what I’m doing wrong:

  1. When the user “Logins by Twitter”, a GET request is sent to my backend app which performs a POST to

  2. When the client-side receives the request token, it redirects to

  3. The Callback URL of my twitter app is a backend route, which saves the oauth_token and oauth_verifier as cookies, and redirects the user to the website main page.

  4. Once an user is logged in, he can make one request to my backend side which will make 15 calls to the endpoint on the user behalf, i.e, with the oauth token saved on the request cookie.

So what is happening is that if this process is done simultaneously by more than 2 users, I always get a “Rate limit exceeded” error, which makes me conclude that the requests are being done with the “app auth” and not the “user auth”, although each request is made with the user own requested token.

After reading a lot of the REST API docs and threads of this forum I understood that each user can make up to 15 requests within a 15min window, but I’m being only able to make 30 request per 15min window, which is the “app auth” limit.

So did I understood it wrong and the user limit only makes sense in a multi app context, or is there really a flaw in my authentication/request process?

I really hope you can help, cheers!