429 Error Requesting Auth Token (API Security Updates)

[loebpaul]

Title: 429 Error Requesting Auth Token (API Security Updates)

Issue found of: September 24th, 2021

Endpoint(s):

• POST /oauth2/token

Scope(s):

• None (application is not using authentication i.e., implicit flow)

Steps to reproduce:

We are receiving an unexpected 429 HTTP response when following the new specification:

curl --request POST \
--url https://api.soundcloud.com/oauth2/token \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data client_id=CLIENT_ID \
--data client_secret=CLIENT_SECRET \
--data grant_type=client_credentials

=>
{
  "code":429,
  "message":"rate_limit_exceeded",
  "link":"https://developers.soundcloud.com/docs/api/rate-limits#errors",
  "status":"429 - Too Many Requests",
  "errors":[
    {"error_message":"rate_limit_exceeded"}
  ],
  "error":null,
  "error_code":"rate_limit_exceeded"
}

Expected behaviour:

A returned token we can use for subsequent API requests

Actual behaviour:

429 Server Error (inconsistently)

Notes:

I know the error message says "rate_limit_exceeded" however based on our volume, I don't think this is actually the case. In addition, the Soundcloud documentation states that you are only rate limiting very specific parts of the api. Requesting a token is not one of those scenarios

Please help! Thank you

[icreatestuff]

I'm seeing this too. The documentation seems to indicate that there should be some more context provided such as when the limit is due to reset, however I see the response as you've written @loebpaul

[rahul-sc]

Hiya. We missed updating the docs and we will update them

The release notes capture this https://github.com/soundcloud/api/releases

[icreatestuff]

OK thanks @rahul-sc. Can you add a more user friendly message and context to the API response to indicate either when it will be possible to request another token (e.g. "reset_time": "2021/10/11 09:49:40 +0000") or that the "50 oauth2/token requests per 12 hour period limit has been exceeded"?

The current response doesn't tell us what the rate limit is or when it will reset. Thanks.

[quiin]

Thanks @rahul-sc! From the release notes above it appears that the rate limit only applies when requesting a new access token (i.e grant_type = client_credentials); is there or will there be a similar limit for refreshing an existing token? (i.e grant_type = refresh_token)

[rahul-sc]

Thanks @rahul-sc! From the release notes above it appears that the rate limit only applies when requesting a new access token (i.e grant_type = client_credentials); is there or will there be a similar limit for refreshing an existing token? (i.e grant_type = refresh_token)

The rate limit is only for new token pair issuance, I blv.

[vojkny]

This happens to me too. Also the documentation states, that it will contain verbose information:

     {
        "rate_limit": {
          "group": "plays",
          "max_nr_of_requests": 15000,
          "time_window": "PT24H"
         },
         "remaining_requests": 0,
         "reset_time": "2015/06/01 09:49:40 +0000"
      }

Unfortunately this information is missing and it is very hard to debug.

[lsz-tp]

@rahul-sc Hi! We're developing a widely used mobile app for a client where users can stream media from the client's SoundCloud account via the SoundCloud API and lately we see many 429 errors. Based on the linked release notes it's very likely that the 50 token per 12 hour limit is exceeded. Is there any way to solve this issue? Is there a paid plan for the API without this limit?

Can you recommend any other way to stream media from SoundCloud inside the app in case we can't use the SoundCloud API directly?

[SalimehHabibi]

Hi, Thanks for reaching out to us. As it's mentioned here the only way to solve this issue is by implementing the refresh-token.