This is an interesting article Trevor​. I'm a bit concerned as we just implemented UDOIT at our institution which is self-hosted. This application makes use of instructor-level API tokens and performs several GET requests in succession when a course is scanned for accessibility issues. When hundreds or even potentially thousands of instructors are performing scans of content, does this pose a risk with your API rate limit policy?

Thanks!

Hi JEFHQ12951​

Unfortunately, I'm not too familiar with UDOIT. Any issues with the API rate limit would depend on how UDOIT was developed. Do you know if UDOIT makes simultaneous API requests? Because the cost of an API call is roughly based on the time it takes to process that request and the bucket empties at a rate faster than real time an application making a single request at a given time is pretty unlikely to be throttled. If it does make multiple simultaneous requests it would be up to the application to monitor the remaining cost available in the bucket.

I believe tr_jbates​ developed UDOIT. Jacob?

Thanks to dgrobani​ for bringing me in on the conversation.  Hopefully I can clear things up.

Each user of UDOIT is actually using their own API key (obtained through the Oauth2 process), and all API calls are done sequentially (rather than simultaneously).  My understanding is that since the bucket "empties" faster than sequential requests can "fill" it, we should never run into any rate limiting issues.  Also, the rate limit is on a per-user basis, so it shouldn't matter if 1 person or 100 people are using UDOIT simultaneously.

Does that sound right  @tfullwood ​?

Thanks for explaining, Jacob​

Trevor, can you confirm these assertions?

Hey JEFHQ12951​ and tr_jbates​

Based on what tr_jbates described this sounds well designed as far as rate limits are concerned. And tr_jbates​ you are correct. The only clarification I have is that the throttling is done at the individual token level rather than the user level.

This satisfies my concern. Thanks, Trevor.

For my own benefit, what's the difference between an individual token level and the user level? Are you referring to the Developer key?

I'm referring to the individual's API token (in this case a specific user's token generated by the OAuth process). A single user could have any number of access tokens associated with their account. We're going to throttle specifically to a token, so API using applications will be throttled separately.

 @tfullwood ​ thanks for this info, I have been aware of throttling, but have not yet experienced it and have not understood how it is applied.

I have written an algorithm to transfer grades from Canvas courses to the SIS, which is a multi-tasking process, processing multiple courses simultaneously using the same token.

So far there has not been a problem and I have not received the error "403 Forbidden (Rate Limit Exceeded)".

Thanks again.

Thank you for the API Rate Limiting policy information.

When you initially create a request Canvas adds 50 units cost up front. After the true cost of the call is determined the 50 units cost is then subtracted. This is done to prevent multiple simultaneous requests from overflowing the bucket before Canvas can calculate the cost. Sending multiple simultaneous calls will quickly fill the bucket regardless of the true cost of each call (until the upfront cost is removed).

Does Canvas still add 50 units cost up front? I've run some tests with concurrent calls in C# and it looks like I lose about 15 points per call. 

For example: I make a large list of API calls, 2 at a time. The first call returns with an X-Rate-Limit-Remaining of 700, the second call returns with an X-Rate-Limit-Remaining of 685. The next group of calls waits until both of those calls have returned before launching themselves, and they return with the same values. The cost of each call varies between 0.05 - 0.12.

After further tests it appears that I'm able to make 45 concurrent calls before I get close to my 700 point limit (less than 100 remaining). The next batch of 45 calls start running right away once the first returns and my (actual total cost is close to 4 points so no problems there) but the next batch starts off with a full 700 points remaining.

(Also, is there a recommended API call I can use to cheaply see my X-Rate-Limit-Remaining?)

I need an recommendation / solution for this situation as noted in https://community.canvaslms.com/thread/53565 

Hi, Trevor.
I recently ran into this problem where the Canvas API is used by an integration solution.
I would give you one recommendation in relation to this - HTTP status code 403 in Canvas response in such a scenario does not work well. 403 is Forbidden and this has access grounds. The response should be 429 (Too Many Requests). Why? Because standard (not customized) retry policies, which are used e.g. in Azure Logic Apps and Power Automate flows, take into account 429 as one of the response codes to activate a retry procedure, while 403 is an error that cannot be fixed by a retry call.
A retry call within a few seconds will most probably succeed or there will be another retry call. So, the status code 429 would be much more useful.

@tfullwood 

What are the current values?

Is the High Water Marker still 700?

Also, is that possible for the client to buy a higher HWM?

To answer the question above (even though this was years ago).  The x-rate-limit-remaining header still shows as 700 when I make requests using a developer token.  So I assume these numbers still apply.

I also realize this is a very old post and I may post a separate question since the likelihood of someone from Instructure responding is very low.   The person who made this post may not even be at Instructure anymore based on his activity.

But my question is, if this is per token, how does that work for students (with limited permissions) making API calls within the environment without a token?  In a separate post I made, someone answered a question I had about making (limited by the user's access) API calls as a regular student being possible without a token due to most things in Canvas using the API to function.  Of course that only works for things they have access to while logged in.  Is that 700 unit limit applying only to their account or does that factor in to my developer token usage somehow?  This wouldn't make sense since said token isn't being used for this, nor is any token being used. But I figured that would be a good thing to clarify for other users that make heavy use of the API.  I see the same x-rate-limit-remaining header is present in the network console when viewing as a student, so there must be some sort of rate limiting occurring for students as well.

I think this information should also be posted in the API documentation in a more obvious place.  The only mention of rate limiting is under the Data Access Platform documentation which I am not using.  I had to dig around to find this. 

Hi @bressler1995,

There is at least a bit of documentation about this included in the API docs: Throttling - Canvas LMS REST API Documentation.

That document also mentions that each token has it's own quota.  When using the browser auto instead of a token, I'm not quite sure how that ends up working though. Most things you'd do with browser auth would likely be GET calls, and those are fairly inexpensive for rate limiting anyways, so unlikely to have to worry much unless you're making tons of simultaneous calls (which probably wouldn't be recommended anyways).

-Chris

@chriscas Awesome, I wasn't expecting anyone to see this so I appreciate that.  I guess that was in front of me the whole time. I was searching by "rate limiting" and didn't think to search by that term, even though it was in the main nav pretty clearly.  That is good insight though.  I was just considering this since I wasn't sure if this might pose an issue with users doing things in the LMS and my external tools making calls at the same time.  Most of my calls are GET that retrieve user data every so often so that we can issue users a badge through another platform when their grades meet the requirements.  I very rarely use POST except when I want to replace uploaded files dynamically, which we only do when we want to update content.  I'll definitely be setting up another token since we are going to be using another version of this tool for another section in the course and that should help avoid exceeding the limit.  The requests made by students are from a script in the theme that gets their user ID, and gets their enrolled sections for some dynamic content trickery.

If you have Claude desktop you can hook into the MCP we built (free) and use conversational AI to search through the Canvas API docs and generate working code.  

Comprehensive Features Include:

• Complete Canvas API directory with searchable endpoints
• Detailed endpoint documentation with parameters, responses, and examples
• Intelligent semantic search across all Canvas API functionality
• Code examples in 12+ programming languages
• Best practices and troubleshooting guides
• Interactive prompts for specific Canvas development scenarios

https://blog.atomicjolt.com/automatically-generate-working-code-for-canvas-api-development/