How do I implement the oauth_token into my request?
When making a request to twitter's REST API:
https://api.twitter.com/1/users/show.json?screen_name=shakira
I get the rate limit error (Rate limit exceeded. Clients may not make more than 150 requests per hour.)
I have created a twitter application and received an access token, which I am now trying to use to boost my rate limit to 350. I have tried adding it to the url, like so:
https://api.twitter.com/1/users/show.json?oauth_token=MyAccessTokenGoesHere&screen_name=shakira
But that isn't working...
OAuth parameters should go to the header of your request, not in the URL. For more details check the following article in the documentation:
https://dev.twitter.com/docs/auth/authorizing-request
Related
Up until today I have been able to use Google's api for exchanging an authorization code for an access token. Haven't had any problems with this for the past year. But now I'm getting a 403 status code. My POST body looks like this:
code=4%2FUwDPiS*********&
redirect_uri=https%3A%2F%2Flocalhost%3A57081&
client_id=123******&
client_secret=123*******&
scope=&
grant_type=authorization_code
The api endpoint is:
https://www.googleapis.com/oauth2/v4/token/
The Google API playground works fine when exchanging authorization tokens.
I thought that maybe Google was getting strict and required https to the redirect (which I did not have originally). But even after adding https, it didn't help. Is it possible that Google is now blocking redirects to localhost? If not, what other problem could it be?
Either Google's OAuth service was down at the time or my limit on calling the api was reached. Have no idea what caused the problem but it worked 24 hours later. In the event that you suspect that your limit was reached, you should check out this link:
https://support.google.com/cloud/answer/9028764
We have implemented a central token store for making multiple Podio API requests from AWS Lambda using the same access tokens. I have been seeing frequent "unauthorized" exceptions returned from Podio. When I use the token from the "unauthorized" request directly in REST Client it works fine. In addition, the rate limit values show that I am not near the limit. Is there a limit to the number of concurrent requests in Podio by account? Thanks for any help.
If Podio returns 403 Unauthorized then access token you've provided is not valid for resource requested. And there is no way that same request for same resource with same access token that got 403 once will get successful response when you run it from another client.
If you want to troubleshoot it well: record/log full https request and response.
Regarding rate limit part of your question: there is different limit for login operation. And there is no general limit on number on concurrent requests by account, but load balancer and DDOS protection might kick in if you go insane.
On the twitter Rate Limiting page(https://dev.twitter.com/docs/rate-limiting) it says
"Unauthenticated calls are permitted 150 requests per hour. Unauthenticated calls are measured against the public facing IP of the server or device making the request."
Is that the measurement based on enduser IP address or the server IP(ip of http:xxxx.com) ?
Is there a way to increase the limit may be through some paid service of Twitter ?
Regards,
Navin
Server IP
No. But you should use authenticated calls (oAuth) - you get 350 requests per hour. Each authenticated user of your app has 350 calls you can use, IP ignored.
Hoping someone can help me out here. I'm using Google Contacts API to fetch a list of contacts. To my understanding, this is done by sending a GET request:
https://www.google.com/m8/feeds/contacts/default/full?alt=json&max-results=9999&oauth_token=OATH_TOKEN_HERE
However, this is wildly insecure as any intruder can gain access to the oauth_token in the URL. To combat this, I'm trying to send this as a POST request with my parameters (alt, max-results, oauth_token) as the data. However, I simply get an error that "Authorization is required". I've tried adding "Authorization: OAuth" to my headers but to no avail (get an error that authorization type is not recognized).
Any advice? I need a secure way to send the oauth token to Google such that my security software won't complain about a security hole in my program ...
Thanks!
To answer your question directly, even though security is irrelevant as you are using HTTPS, you cannot POST to Google to get a list of contacts. Google requires you use Get.
The proper formatting for authorization (Because you can still use a Get and not pass the oauth_token as a query string is to use an HTTP Header formatted:
Authorization: Bearer 1/fFBGRNJru1FQd44AzqT3Zg
Using OAuth 2.0 to Access Google APIs
Here http://developer.twitter.com/pages/rate-limiting we can read that:
Anonymous calls are based on the IP of the host and are permitted 150 requests per hour. This classification includes unauthenticated requests (such as RSS feeds), and authenticated requests to resources that do not require authentication.
OAuth calls are permitted 350 requests per hour.
And as we can see at http://dev.twitter.com/doc/get/users/show - it does not require authentication.
So I expected my localhost will reach limit of accessing users/show/zerkms endpoint after 150 requests. But I was able to perform all 350 requests.
Where is the truth?
If you are sending authentication headers to Twitter, then your rate limit will be the authenticated rate limit of 350 requests to rate limited resources per hour, and this is regardless of whether you are calling methods that do not require authentication.
So, since you were authenticated, you had 350 API calls you could burn. If you were unauthenticated, you could only have made 150 calls.
Edit:
I believe the documentation you specify is indeed incorrect. Authenticated requests to resources that do not require authentication, are not subject to the unauthenticated rate limit. Rather they are subject to the rate limit restriction of the currently authenticated account.
For example, if I make an authenticated call to users/show (a resource that does not require authentication) the rate limit headers on the HTTP response show X-RateLimit-Limit: 20000, X-RateLimit-Remaining: 19999. If I then make an unauthenticated call immediately to users/show, my rate limit headers show X-RateLimit-Limit: 150, X-RateLimit-Limit: 149.
There's a difference between requiring authentication and supporting authentication. If you provide authentication, in most cases, the Twitter API will consider it an authenticated request. If you want to ensure that your request is evaluated unauthenticated, don't send authentication.
I think it's related to http://dev.twitter.com/doc/get/statuses/followers and the old 'basic auth' because it starts with "depending on the authorization method" (even though there's only one method nowadays?). It doesn't require authentication but in some cases it does.
To make developers move to OAuth, they increased that rate limit when an API call is done using OAuth; that's what the second statement says.