Rate Limiting (Specifically Content Syndication API)

In recent work to migrate to the new v2 NHS Syndication API routes I have been implementing code to limit requests in line with the rate limiting requirements. For reference these are:

120 requests per minute Integration
1200 requests per minute Production

In my testing I have received 14 responses with status code 429 over the course of a 70 minute period where I have made a total of 95 requests to the integration API endpoint. Can someone confirm if the rate limit is actually per minute or is it per second multiplied up to give a number for a minute? If it is per second then can you provide more clear documentation so I can try to limit hitting this in the future.

Hi Matthew,

You as the API Producer should be able to control your rate limits.

NHS API Platform set a default only to keep usage low and safe.

  • The default is applied per minute , not per individual second - so at the default limit of 5tps, you can perform up to 300 transactions in any given (rolling) minute
  • The default is applied per application, per API
  • Is applied to our OAuth 2.0 authorisation service

We expect you to work with each API consumer to agree what their rate limits should be.

  • NEVER ask an API Consumer to create more Apigee Apps to increase their rate limit:
    • This means they need to manage more credentials and connections - making their integration with us harder
    • Rate limiting is not about reducing your consumers rate limit until they get one or two 429’s, but about setting a limit that only ever triggers in unusual situations
    • When looking at production usage for any consumer you will see a more “consistent” level of requests (with busier consumers) - because the peaks and troughs even out. Don’t be too granular with your rate limits as the peaks and troughs don’t smooth out.

Understanding the 429 Error : The 429 status code (“Too Many Requests”) is triggered when your request count exceeds the configured threshold in the given interval. Given that you’ve received a 429 error despite staying well under the limit, it’s possible that:

  • SpikeArrest is enforced in smaller increments : If the SpikeArrest policy is applied here, the per-minute rate might be effectively divided across seconds, which would restrict bursts within any single second.

  • Setting correct values: If you are enforcing the rate at, for example, 120 requests per minute, the SpikeArrest value should not simply be 120pm. Instead, Apigee documentation advises that if you need 120 requests per minute, set the SpikeArrest to 2ps (per second) (since 120 / 60 = 2).

Recommendations :

  • Verify Policy Configurations : Check the manifest settings for both the Quota and SpikeArrest policies, ensuring they align with your desired rate (e.g., 2ps for 120 requests per minute).
  • Consider Apigee Documentation Guidance : Apigee suggests configuring SpikeArrest in terms of per-second intervals rather than aggregating the total per minute.

If this doesn’t solve the issue, additional configuration tuning might be required, particularly in distinguishing between Quota and SpikeArrest limits in your manifest.

Thanks,

NHS England API Platform team

Please note: The API Platform team can only address queries relevant to the NHS England API platform, including security, rate limiting, logging, monitoring and alerting. For any API specific queries, please reach out the relevant API teams.

Thank you for the response, I am slightly confused as the response appears to be given as though I am the API Producer. In this instance I am the consumer of the NHS Syndication API which has a rate limit of 120 requests per minute in the integration environment. During my testing, on the integration environment, I received 14 responses with a code of 429 despite the fact that in my 70 minute test I only made 95 requests to the NHS Syndication API. This does not line up with the documentation stating rate limit of 120 requests per minute on this API in this environment.

I don’t understand what the Apigee documentation has to do with my question, I am not using this in my rate limiting of requests to the NHS Syndication API.

Hi Matthew,

Apologies for the delayed reply to your follow up query.

Our earlier response was from an API Platform perspective.

As the rate limiting/usage Caps for Integration environment is set by the specific API team, this query should’ve been addressed to the NHS Website Content API v2 team. (https://digital.nhs.uk/developer/api-catalogue/nhs-website-content/v2)

I will tag your query to the NHS Website Content API team and they should be able to respond.

Thanks,

NHS England API Platform team

Please note: The API Platform team can only address queries relevant to the NHS England API platform, including security, rate limiting, logging, monitoring and alerting. For any API specific queries, please reach out the relevant API teams.

Thank you for the reply and sorry for putting the question in the wrong place. I will wait to hear from the Website Content API team.

Hi Matthew,
We have set the limit at 120 requests per minute in Intergration which our software Apigee smooths into intervals of seconds, which equates to 2 per second. You can see more information about the ‘Spike Arrest Policy’ on their documentation. Hope this helps.
Michael

Michael,
Thank you for that explanation. That explains why I’m hitting the rate limit when I not expecting to. Is there an issue with me hitting this limit in integration, there is backoff code to limit this happening but some retry strategy means that it does happen. I expect in production with the significantly higher rate limit this will not be an issue.
Matthew

Hi Matthew,
Don’t worry that you are hitting this limit in integration, I suppose it proves that the policies in place are doing their job! And as you say, with production having much higher rates, hopefully you won’t have any issues.
Michael