All commercial cloud services providing public API’s implement a rate-limiting system of some form, primarily to protect systems from abuse and over-utilization of system resources.
Fortnox rate limit
When the number of requests reach the rate limit the HTTP 429 (Too Many Requests) is displayed making it very clear if the rate-limit is being enforced.
The limit is 240 requests per minute per client-id and tenant.
The rate limit is based on a sliding window algorithm with a window of one minute.
Suppose you do 40 requests in the current minute, which started 15 seconds ago, and 260 requests during the entire previous minute. The rate approximation can then be calculated like this:
rate = 260 * ((60 – 15)/60) + 40
= 260 * 0,75 + 40
= 235 requests
This would leave you 5 requests below the current limit.
Another example would be an application that does 10 API requests within one second, at set intervals of 5 seconds each – this application will never have API calls rejected, since it will never reach 240 requests per minute.
This system will ensure that applications doing short bursts of requests at semi-regular intervals will continue working just fine, while simultaneously correctly sending rate-limit responses if the average request rate is too high.
The rate-limit scales with more tenants / access-tokens
Remember that the rate limit is not based on external IP-addresses, but rather access-token. If your integration is used by five different Fortnox-tenants, every one of those tenants will have a unique access-token granting you 240 requests per minute for each such token.