Twitter API limitations: anonymous vs authenticated

3
votes

Here http://developer.twitter.com/pages/rate-limiting we can read that:

  • Anonymous calls are based on the IP of the host and are permitted 150 requests per hour. This classification includes unauthenticated requests (such as RSS feeds), and authenticated requests to resources that do not require authentication.
  • OAuth calls are permitted 350 requests per hour.

And as we can see at http://dev.twitter.com/doc/get/users/show - it does not require authentication.

So I expected my localhost will reach limit of accessing users/show/zerkms endpoint after 150 requests. But I was able to perform all 350 requests.

Where is the truth?

3
twitter
Were you still logged into twitter.com? Maybe it recognized you and allowed it anyway.Merijn
@Merijn: yes, I was authenticated in my application. But as documentation says - this should not rely on the requests, that don't require authenticaion.zerkms
Interesting. See dev.twitter.com/pages/rate_limiting_faq#measurement (Multiple user accounts in a Twitter client each have their own user rate limit but share the unauthenticated requests....). Probably Twitter team have changed internals recently without update of documentation.Alik
@Konstantin Mikhaylov: yes, I saw also that too ;-)zerkms

3 Answers

3
votes

If you are sending authentication headers to Twitter, then your rate limit will be the authenticated rate limit of 350 requests to rate limited resources per hour, and this is regardless of whether you are calling methods that do not require authentication.

So, since you were authenticated, you had 350 API calls you could burn. If you were unauthenticated, you could only have made 150 calls.

Edit: I believe the documentation you specify is indeed incorrect. Authenticated requests to resources that do not require authentication, are not subject to the unauthenticated rate limit. Rather they are subject to the rate limit restriction of the currently authenticated account.

For example, if I make an authenticated call to users/show (a resource that does not require authentication) the rate limit headers on the HTTP response show X-RateLimit-Limit: 20000, X-RateLimit-Remaining: 19999. If I then make an unauthenticated call immediately to users/show, my rate limit headers show X-RateLimit-Limit: 150, X-RateLimit-Limit: 149.

1
votes

There's a difference between requiring authentication and supporting authentication. If you provide authentication, in most cases, the Twitter API will consider it an authenticated request. If you want to ensure that your request is evaluated unauthenticated, don't send authentication.

1
votes

I think it's related to http://dev.twitter.com/doc/get/statuses/followers and the old 'basic auth' because it starts with "depending on the authorization method" (even though there's only one method nowadays?). It doesn't require authentication but in some cases it does.

To make developers move to OAuth, they increased that rate limit when an API call is done using OAuth; that's what the second statement says.