Getting rate limit

[kkhanal18]

Getting rate limit error when testing API. So the limit is 100 per day? Is there way to bypass?

atproto_client.exceptions.RequestException: Response(
    success=False,
    status_code=429,
    content=XrpcError(error="RateLimitExceeded", message="Rate Limit Exceeded"),
    headers={
        "Date": "Sat, 14 Sep 2024 16:45:53 GMT",
        "Content-Type": "application/json; charset=utf-8",
        "Content-Length": "61",
        "Connection": "keep-alive",
        "X-Powered-By": "Express",
        "Access-Control-Allow-Origin": "*",
        "RateLimit-Limit": "100",
        "RateLimit-Remaining": "0",
        "RateLimit-Reset": "1726348078",
        "RateLimit-Policy": "100;w=86400",
        "ETag": 'W/"3d-egyFOcXCrKQFzoI7522/4+PpxIk"',
        "Vary": "Accept-Encoding",
    },
)

[itaru2622]

@kkhanal18

if your atproto_client calls PDS API, you can bypass ratelimit by self hosting your own PDS
https://github.com/bluesky-social/pds with PDS_RATE_LIMITS_ENABLED=false

atproto/packages/pds/src/config/env.ts

Lines 97 to 99 in 319aa7c

	rateLimitsEnabled: envBool('PDS_RATE_LIMITS_ENABLED'),
	rateLimitBypassKey: envStr('PDS_RATE_LIMIT_BYPASS_KEY'),
	rateLimitBypassIps: envList('PDS_RATE_LIMIT_BYPASS_IPS'),

but if you are testing other component API, it may be hard to bypass ratelimit.

[dankbl]

I'm getting this too - why is the limit 100/day when in the docs I see a limit of 3000 every 5 minutes? All I'm using is login, uploadBlob, and post.

[dankbl]

After some more searching it looks like this is because they want us to use JWT tokens instead of logging the agent in every time. I've figured out how to save and refresh my token - is there a simple way of getting the Atproto/BskyAgent to use the token instead of the agent.login(...) from the tutorials? I'd like to use the agent.uploadBlob and agent.post calls I've already written instead of re-writing those as fetchs. I've tried a few things but it seems to be ignoring any headers I try and set in the constructor or those I set by configuring a static fetch handler.

[dankbl]

Ok I can confirm in my case it was because of the login/createSession limits and switching to tokens I haven't hit any rate limits. Here's the post that clued me in and links to a php implementation https://bsky.app/profile/olafmoriarty.bsky.social/post/3l3rq7xzoql2o
I read elsewhere that access tokens last 2 hours and refresh tokens 2 months, but I don't know if those numbers are accurate.

[TinyAtoms]

Just wanted to throw this in here for when people stumble across the same issue
session reuse example in python https://github.com/MarshalX/atproto/blob/main/examples/advanced_usage/session_reuse.py

[ledlamp]

Rate limit on what? On com.atproto.server.createSession or on anything? A rate limit of 100 logins per day makes sense cause you shouldn't have to log in so much.

[davidsainez]

Anyone have a reference to how to get/refresh the JWT in a javascript/typescript environment? Running into the same issue.

[dankbl]

Here's the function I made that uses the moment library. My script runs on a cron so it saves the info in a flat file between runs.

async function getToken() {
  const file = path.resolve(__dirname, 'token', (isTest ? 'test.' : '') + 'token' + '.json');
  const now = moment();
  let tokenJson = {};
  if (fs.existsSync(file)) {
    tokenJson = JSON.parse(fs.readFileSync(file, 'utf8'));
  } else {
    const old = moment().subtract(2, 'years');
    tokenJson = {
      accessDate: old.format(),
      refreshDate: old.format()
    };
  }
  if (now.diff(tokenJson.refreshDate, 'days') > 50) {
    // refresh token is old, full login
    const loginJson = await agent.login({ identifier: isTest ? testUser.username: prodUser.username, password: isTest ? testUser.password: prodUser.password });
    tokenJson.did = loginJson.data.did;
    tokenJson.accessJwt = loginJson.data.accessJwt;
    tokenJson.refreshJwt = loginJson.data.refreshJwt;
    tokenJson.accessDate = now.format();
    tokenJson.refreshDate = now.format();
  } else {
    if (now.diff(tokenJson.accessDate, 'minutes') > 90) {
      // access token needs a refresh
      const refreshResponse = await fetch(
        bskyService + '/xrpc/com.atproto.server.refreshSession',
        {
          method: 'POST',
          headers: {
            'Accept': 'application/json',
            'Authorization': 'Bearer ' + tokenJson.refreshJwt
          }
        }
      );
      const refreshJson = await refreshResponse.json();
      tokenJson.accessJwt = refreshJson.accessJwt;
      tokenJson.refreshJwt = refreshJson.refreshJwt;
      tokenJson.accessDate = now.format();
    }
  }
  fs.writeFileSync(file, JSON.stringify(tokenJson));
  return { token: tokenJson.accessJwt, did: tokenJson.did };
}

[paulglx]

I'm also getting this error - the limit is now 10 per day.

Response(
    success=False,
    status_code=429,
    content=XrpcError(error='RateLimitExceeded', message='Rate Limit Exceeded'),
    headers={'date': 'Wed, 22 Jan 2025 16:19:25 GMT', 
        'content-type': 'application/json; charset=utf-8',
        'content-length': '61', 
        'connection': 'keep-alive',
        'x-powered-by': 'Express', 
        'access-control-allow-origin': '*',
        'ratelimit-limit': '10', 
        'ratelimit-remaining': '0',
        'ratelimit-reset': '1737633541',
        'ratelimit-policy': '10;w=86400', 
        'etag': '...',
        'vary': 'Accept-Encoding'}
)

[AlanBell]

Mine is posting weather warnings, and we have a storm coming on Friday so it had quite a few warnings today, probably the first time in a while that it has attempted to log in 10 times in a day. Seems super low as a limit, and I am now locked out to 7am tomorrow from that IP address.
It is going to make it rather hard for people to start working with the Bluesky API if they get shut out for the day so quickly.

[paulglx]

The docs mention this and tell us to store session information in a local file instead of re-logging in with basic auth credentials each time.

atproto.blue/en/latest/atproto_client/auth.html#session-string

[AlanBell]

Which is fine, but the docs there say it is 300/day which is a long way from 10/day. I now can't test the session string handling stuff until tomorrow when I get 10 chances to successfully get it working!

[paulglx]

💡 WORKAROUND

You can fill the session details manually, by logging into your account from the browser, and getting the credentials there.

With the following code, the session is created using the session string.

client = Client()

with open('session.txt') as f:
    session_string = f.read()

if session_string:
    profile = client.login(session_string=session_string)
else:
    profile = client.login(username, password)
    session_string = client.export_session_string()
    with open('session.txt', 'w') as f:
        f.write(session_string)

print(f"Logged into {profile.display_name} (@{profile.handle})")

Fill session.txt with the following format (::: separates the fields) :

[handle]:::[did]:::[access_token]:::[refresh_token]

To find the data, open your browser, go to Bluesky, and open the developer console. Go under the "network" tab, and search for the app.bsky.actor.getProfile request.

• handle : this is your Bluesky @
• did : first line in the 'Response' subtab. It looks like did:something:something
• access_token : find this from the 'Headers' subtab, under 'Request Headers' > 'Authorization'. Do not include 'Bearer'. It looks like eyJ0 ...
• refresh_token : I don't know where to find the actual refresh token, but you can use the access token as a placeholder. The downside is that the connection won't refresh automatically.

Using this method, I could authenticate my Python client even though logging in with user/password is rate limited for the day.

Sources : Session string format - Separator

[kajupe]

This seems to be a good method. I've been thinking about how to check the validity of the login though, like an is_logged_in function that makes a really simple api call to test the connection or something like that in case the rate limit is reached and I need to use a backup method instead. Haven't been able to get anything working though, does anyone more experienced have ideas for something like that?

[paulglx]

As per a previous comment, you can fill the session details manually, by logging into your account from the browser, and getting the credentials there.

With the following code, the session is created using the session string.

client = Client()

with open('session.txt') as f:
    session_string = f.read()

if session_string:
    profile = client.login(session_string=session_string)
else:
    profile = client.login(username, password)
    session_string = client.export_session_string()
    with open('session.txt', 'w') as f:
        f.write(session_string)

print(f"Logged into {profile.display_name} (@{profile.handle})")

Fill session.txt with the following format (::: separates the fields) :

[handle]:::[did]:::[access_token]:::[refresh_token]

To find the data, open your browser, go to Bluesky, and open the developer console. Go under the "network" tab, and search for the app.bsky.actor.getProfile request.

• handle : this is your Bluesky @
• did : first line in the 'Response' subtab. It looks like did:something:something
• access_token : find this from the 'Headers' subtab, under 'Request Headers' > 'Authorization'. Do not include 'Bearer'. It looks like eyJ0 ...
• refresh_token : I don't know where to find the actual refresh token, but you can use the access token as a placeholder. The downside is that the connection won't refresh automatically.

Using this method, I could authenticate my Python client even though logging in with user/password is rate limited for the day.

Sources : Session string format - Separator