#fobor-request-overflow

Hi there! We do throttle API requests as a whole for your account.

In live mode: 100 requests per second for Reads and Writes.

In test mode: 25 requests per second for Reads and Writes.

For File API specifically the limit is 20 requests per second.

If you would like to learn more, please refer to https://stripe.com/docs/rate-limits

Oh wow good to know. So if I have a custom cancel page where I am not using the customer billing portal to cancel, I can be faced with this? What if the customer uses the billing portal?

My custom cancel page I have it where the customer needs to have an outstanding balance of $0 and if they have an active product id subscription

in order to view the cancel page

Basically it checks that they paid off everything and if they have an active subscription then I allow them to finally cancel

I fear that they will spam click the cancel page though and try to run that checking code over and over

Depends on the type of requests you are making from your custom cancel page, e.g. if a Customer lands your page and cancel a subscription, ideally the flow of requests are as follows:

• Retrieve Customer object (GET Customer request)
• Retrieve Subscription object (GET Subscription request)
• Cancel Subscription (POST Subscription request)

In this example, there is 2 Read and 1 Write request.

The idea is the same for the Customer Portal product 🙂

ok i agree with that process. That is if they submit the form though. I am talking about loading the page where it checks to see if the user has an outstanding balance and if they have a certain product id active subscription

How are you checking if the customer has an outstanding balance?

They could just refresh the page over and over again and cause havoc I am thinking

From their latest invoices and checking if they are paid?

let me check

invoices = stripe.Invoice.list(customer=database_customer_id,status="open").auto_paging_iter()

This is a good point, if they were to refresh the page again and again, that could potentially trigger a lot of Read requests.

outstanding_filter = [x['amount_due']/100.0 for x in invoices]

Nice! perfect!

My suggestion for the rate limit concern is to identify the customer's ip address, and create a system to throttle them with 429s

ok I think I may use the cache for that

I was thinking this could be helpful to identify if a specific ip address is having suspicious activities

But what if I switch to the billing portal to cancel and the user just refreshes the page over and over?

e.g. if they wrote a script to create a lot of accounts on your site

I have captchas and stuff on my forms and I use caching of the IP to put timeouts on the forms

This is a great question! As Customer Portal is hosted by us, we have a lot of security measures on our hosted pages.

Ok that is what I figured.

This is awesome, I love talking to you!

lol thanks same

In fact, our Checkout pages have captchas launched recently

which captcha do you use

recaptcha, hcaptcha, something else?

To minimise risk, especially "card testing" that is a very big concern for payments

This is a great question, I wasn't involved in building it, but let me look it up! 🙂

ok

we use hcaptcha

Awesome do you have a screenshot or example?

Oh wow nice. I just tried it myself but I don't see it?

"I am human" not a bot 😄

Maybe you are too human for the system?

Sorry, jokes aside

haha no worries

These are usually triggered when we sense there's script or automation involved in the payment process

Is it invisible captcha or do you need to select images?

To be honest, I am not sure, as the hCaptcha handles everything, I believe it'd be up to them to decide how to challenge

ok makes sense

How long will I be rate limited for by stripe?

Great question! Let me look at the code for the source of truth!

thank you

Another question I have is where would I put this code from the link you showed me? stripe.max_network_retries = 2

Sorry about the delay

I have looked a bit deeper, it seems the above limits are for server based requests

The requests made from the client, is 50/s each in live mode with a publishable key

And hopefully this is good news, we have a 30/s per IP + publishable key limit

With this, hopefully you do not need to implement your own logic anymore.

As for the rate limit recovery time, I do not have a definite answer for you, the way it works on our backend is slightly complex.
What I would recommend is, if you were to ever hit this 429 limit, is to retry with an exponential back-off

Similar to what is recommended in our docs: https://stripe.com/docs/rate-limits#handling-limiting-gracefully

Hope you find this useful 🙂