We always had API rate limits in order to prevent abuse and bad actors from accessing our API servers. This helps us to control and allow legitimate traffic only.
In order to further improve our security, we've tightened the existing limits only for bad requests i.e HTTP 400 Bad Request and HTTP 403 Forbidden status codes. We've observed some instances where there are API calls being made without a proper authentication token or with bad input fields. These are the only two new cases where we have started throttling these requests. In all other cases, the previous rate limits continue to work as applicable before.
We have introduced a small throttling period to reduce the bad requests load effect. There's a cooldown period of 10s that must be respected whenever you receive a 429 Status Code. It's a sliding window of 10s, so if the user sends more requests before the cooldown period is over, the throttling window of 10s is further extended. This only affects cases where people are firing API requests in "infinite loop" scenarios and not properly handing response codes.
If you are continuously getting 429 because of the above sliding throttling period, you can follow the steps below: Debug your codebase for the request point continuously sending 40X(invalid input) exceeding the rate limit defined here. Add a proper sleep period in the loop to accommodate the rate limits. Then wait for 10 seconds and restart the program.
PS: This won't affect users within the previous rate limits anyhow. If you are facing 429, you need to check your existing scripts/codebases and validate/sanitize the request fields in order to avoid sending 40X requests.