API fair use policy
General principles
ThingPark API fair use policy is primarily designed to protect the security of the platform and ensure responsible use of integrations. Users receive personal access credentials (keys, tokens, secrets) that they must keep confidential; all activities performed with these credentials are their responsibility. Sharing, selling, or transferring them without authorization is strictly prohibited.
ThingPark sets usage limits to prevent overload, abuse, or behavior that could harm service performance. Users must follow the technical documentation and must not access unauthorized data, bypass security mechanisms, alter the service’s functioning, test system vulnerabilities, or generate excessive request volumes.
The platform administrators monitor API usage to detect abnormal or non-compliant behavior and may restrict, suspend, or terminate access if limits are exceeded or if circumvention attempts occur. Any confidential information obtained through the APIs must be protected and used solely for the purposes of building integrations.
Finally, users must ensure their integration complies with applicable laws and must indemnify ThingPark for any damage resulting from non-compliant or abusive API use. The overall objective is to maintain a secure, stable, and fair environment for all users.
Rate limiter
REST APIs are protected by a rate limiting mechanism against HTTP request flooding. This rate limiting mechanism uses the leaky bucket algorithm described in NGINX Rate Limiting.
Each control plane API endpoint is classified in one of the following categories depending on its level of impact on system resources:
HIGHEST_IMPACTHIGH_IMPACTMEDIUM_IMPACTLOW_IMPACT
The data plane API endpoint used to send downlink frames is classified in a dedicated
category: DL_IMPACT.
The category of an endpoint is documented in the OpenAPI contract using the
vendor extension x-rateLimit in operation parameters. The default category is
LOW_IMPACT. Therefore the vendor extension x-rateLimit is only specified for
other categories.
paths:
/customers:
get:
...
x-rateLimit:
category: MEDIUM_IMPACT
Each category is associated with:
- Global limit: A maximum request rate/s supported by the system without consideration for the source IP address and without consideration for the targeted domain
- Source IP limit: A maximum request rate/s allowed for a given source IP address
When a limit is reached, either global or source IP, the HTTP request is rejected with a 429 Too Many Requests response.
The following configuration is defined by default for source IP limit:
| Category | Source IP limit |
|---|---|
HIGHEST_IMPACT | 2r/s (burst 6) |
HIGH_IMPACT | 4r/s (burst 6) |
MEDIUM_IMPACT | 6r/s (burst 18) |
LOW_IMPACT | 20r/s (burst 80) |
DL_IMPACT | 3r/s (burst 15) |