Closed darrelmiller closed 1 year ago
ioggstream
commented
1 year ago @darrelmiller we are open to clarifications. The rationale for the current behavior is in https://github.com/ietf-wg-httpapi/ratelimit-headers/issues/11#issuecomment-984430821
I think RateLimit-Reset is always REQUIRED.
A server that returns the RateLimit-Reset header field MUST also send either the RateLimit-Limit or RateLimit-Remaining header field, or both
darrelmiller
commented
1 year ago @ioggstream In theory someone could use RateLimit-Limit to provide a limited number of "free" requests as a trial for their API. They may not choose to have a reset window and just require payment before allocating more calls. This is a bit of an edge case use of the headers, but might be just enough of a justification to limit constraints that we add.
Having said this, I still don't understand how we can make any of these headers required considering there are so many existing APIs that don't return these headers today. How does a developer decide if they MUST return these headers for their API?
Assuming the "free trial" scenario is not considered a valid scenario for this header, then how would you feel about these words?
A response that includes the RateLimit-Limit header field MUST also include the RateLimit-Reset. It MAY also include a RateLimit-Remaining header field.
ioggstream
commented
1 year ago SGTM.
In section 4 it says,
In section 4.1 it says,
These statements seem contradictory. I do not see how we can declare
RateLimit-Limitas REQUIRED considering many APIs do not and will not implement these headers.It seems to me that if a client receives a
RateLimit-Limitheader they can choose to either count the requests they make within the time window or they can monitor theRateLimit-Remaining. With neither of those values it would be difficult to do something useful.How would you feel about words like this: