[#1436] Too many requests and Access denied errors from API

Bug Reports
,
1

Migrated from Redmine #1436 | Author: Xavi Valero
Status: Feedback | Priority: Immediate, there is BUG! | Created: 2025-07-09

Hi there,

We have made an integration with SimplyBookMe API working on this URL:

Since Thursday, July 3rd, we have been experiencing “Too many requests” errors. When this happens, we get blocked indefinitely (sometimes for longer periods like hours). We think it could be related to API rate limits. Our processes are cached, such as the getCategories process which is the most important one for us.

LOG 1 Getting Categories: The following process is CACHED

  • Getting token Obtain token via getToken endpoint successfully
  • Getting categories Get categories via getCategoriesList endpoint:
    Error response we get:
    {“response”:{“stdClass”:{“error”:{“code”:-32600,“message”:“Too many requests”,“data”:[]},“id”:“1”,“jsonrpc”:“2.0”}}}

Additionally, since yesterday (July 8th), when we try to get memberships, we get “Access denied” errors. This process is performed during login where we first get client info and then call get membership. Until yesterday, this had not caused any problems.

LOG 2 Getting Membership: The following process is done ONLY during login:

Get client info to store into the session:

  • Getting Token: Obtain token via getToken endpoint successfully.
  • Getting Client Info: Obtain client info to store in session via getClientInfoByLoginPassword successfully

Get Membershiplist

  • Getting Token: Obtain token via getToken endpoint. ERROR: Token Response is empty.

Currently our code proceeds to get the clients membership via getClientMembersipList endpoint (with this empty token), where we get this error:
{ “error”: {“code”: -2600 +“message”: “Access denied” +“data”: [] } +“id”: “1” +"jsonrpc }

We would like to know if you can check your logs against ours and assist with this issue. We have not deployed any code that affects this functionality, so we don’t understand what could be causing this, especially this new error in the membership process which was working fine.

This is really urgent for us as it’s stopping the activity of our client.

Thanks in advance,
Xavi

2

Dmytro Bondarev wrote:

Hi, we don’t have any changes regarding this matter.
Please make sure that nobody abuse your API, cache all possible data and reuse your tokens.

3

Xavi Valero wrote:

Dmytro Bondarev wrote in #note-1:

Hi, we don’t have any changes regarding this matter.
Please make sure that nobody abuse your API, cache all possible data and reuse your tokens.

Hi Dmytro,

Thanks for your response. We understand the importance of optimizing our API usage and we’re already implementing improvements on our side.

To better resolve this issue, could you please provide some additional information:

  1. Token TTL: What’s the lifetime of tokens obtained via getToken? This will help us implement proper token caching.
  2. Current usage monitoring: Is there a way for us to monitor our current API usage (daily requests, requests per second)? This would help us identify if we’re hitting the limits.
  3. Rate limit confirmation: Can you confirm we’re hitting some of the documented limits (5,000 requests/day, 5/second, 2 parallel)? Our logs show consistent blocking that started July 3rd but it’s quite random so we think it’s not related to daily limit but multiple requests at the same time. How much time does it take to reset the API limit for these cases (5 requests per second or 2 parallel requests)?
  4. Usage patterns: Are you seeing any unusual patterns in our API usage that could explain the sudden onset of these errors?

We’re committed to following best practices and have already started:

  • Implementing token reuse and caching
  • Auditing our API calls to reduce unnecessary requests

Any additional insights you can provide would be greatly appreciated.

Thanks again for your help.

Best regards,
Xavi

4

Dmytro Bondarev wrote:

Hi, sorry for delay.

  1. it is 30 minutes, but you can count on 419 http status, if you receive it, you can issue new one with refresh token.
  2. unfortunately not at the moment.
  3. it is correct limits, could you please provide errors, you received?
  4. unfortunately we are not able to provide this information, we don’t know your patters, etc.