Rate-limits for Fortnox API

Why rate-limit?

All commercial cloud services providing public API’s implement a rate-limiting system of some form, primarily to protect systems from abuse and over-utilization of system resources.

Fortnox rate limit

When the number of requests reach the rate limit the HTTP 429 (Too Many Requests) is displayed making it very clear if the rate-limit is being enforced.
The  limit is 4 requests per second per access-token. This equals to a bit more than 200 requests per minute. Our loadbalancer tracks requests at millisecond granularity, so this limit corresponds to 1 request every 250 milliseconds.

We allow a “burst”-zone of up to 20 requests – essentially this allows “borrowing” future request slots from the rate-limit.

Suppose that the 20-slot burst zone is empty and 15 requests arrive simultaneously from a given access-token. All 15 requests will be forwarded immediately while 14 slots in the burst zone is marked as taken, upon which 1 slot is freed every 250 milliseconds. (If there were 25 requests instead, 21 would immediately be forwarded, 20 slots marked as taken, and 4 requests be rejected with status 429.)

Another example would be an application that does 10 API requests within one second, at set intervals of 5 seconds each – this application will never have API calls rejected, since 2.5 seconds after those 10 requests, the burst zone will be fully cleared.
This system will ensure that applications doing short bursts of requests at semi-regular intervals will continue working just fine, while simultaneously correctly sending rate-limit responses if the average request rate is too high.

The rate-limit scales with more tenants / access-tokens

Remember that the rate limit is not based on external IP-addresses, but rather access-token. If your integration is used by five different Fortnox-tenants, every one of those tenants will have a unique access-token granting you 4 r/s for each such token. This would effectively put you at a global limit of 20 requests per second towards Fortnox API. Remember that each individual access-token will still be at the 4 r/s limit though.