For the past two months I irregularly receive the error code 429 with the message: Public rate limit exceeded. The only correlation I have been able to debug is that these error messages coincide with the alternate error code 500 with the message: Internal Server Error. I have been seeing more and more of both 429 and 500 over the past two months.
I am fairly certain that I am not violating the rate limit because my code is set to pause for a minimum of 1 second between HTTPS requests. My logs also confirm that I send no more than 1 HTTPS request per second.
What could be causing the 429 errors? I cannot seem to find a pattern that would indicate the source of the problem is on my end.
Edit: I also irregularly receive the error code 401 with the message: Invalid API Key. My API Key has not changed in months yet at least once per day, I will receive this error. This also does not make sense to me.
Welcome to the Coinbase Cloud Developer forum, @tripster202! We’re happy to help, but first we’ll need you to provide us with the following information so that we can further assist you with the issue:
Aside from the /accounts endpoint, what other API endpoints are you having an issue with?
Please provide a code snippet including the URL, body request and parameters that you used when trying to use the endpoints you’re having an issue with.
Please provide a screenshot of the error codes you are experiencing.
If you have any more information or screenshot that can demonstrate your concern, feel free to share it with us.
Once you send us the information requested above, we’ll work to quickly address this issue. We appreciate your patience and understanding.
# auth_access is an instance of the
# CoinbaseExchangeAuth class
auth_access = CoinbaseExchangeAuth()
request = 'https://api.pro.coinbase.com/accounts'
response = requests.get(request,auth=auth_access)
Authentication is not the root of my issues because I am already able to regularly buy, sell and collect account information. The authentication boilerplate code is readily available on the internet.
Attached are screenshots from some of the email logs I send to myself. All times are -6 from Zulu.
Example 500 HTTP status code
Example 429 HTTP status code
Example 401 HTTP status code
4. Additional details
I’m sure it doesn’t make sense to you either why a user’s API Key would intermittently register as invalid. There is potentially an issue with the timestamp of the authorization process but this doesn’t happen regularly enough for me to suspect that the issue lies in my own code. Outside of the timestamp, I see no other variable factors.
I have all of my HTTP requests (GET, POST, DELETE) funnel through one function and within that function, there is a time.sleep(1) line that halts all code for that one second. My code is not multi-threaded or multi-processed so there is no possibility of multiple requests going out at once.
99% of the time, my code buys, sells and collects information without issue. I have a fully functioning system and am not struggling with development issues. The 401, 429 and 500 error codes are new to me as of the beginning of Jan 2023.
Attached is another screenshot with an error that occurred just a few minutes ago. I reconfirmed that I am sending HTTP requests at a minimum of 1 second intervals. As far as I can see, there is no good reason to be receiving a rate limit error. I am far from the allowed 10 requests per second and 10,000 per hour.
This is an example of a POST request receiving a rate limit error with HTTP response code 429
I can modify my error log messages to collect specific information if it will be helpful for further troubleshooting.
Hi @tripster202! Thank you for providing the information we need. We would like to clarify that “10 requests per second and 10,000 per hour” is the rate limit for Sign in with Coinbase . For more information about the rate limit of Coinbase Exchange/Pro, you may visit this link. For the 401 and 500 error that you have encountered, please be aware that it is currently reported that Coinbase Pro is experiencing a partially degraded service on this site: https://status.pro.coinbase.com/. Nonetheless, we wish to inform you that we are already looking into this with our internal teams and we’ll get back to you once we have more information. Keep in touch!
We appreciate your patience and understanding. Have a great day!
This other screenshot from https://status.pro.coinbase.com lists a single incident over the same Dec 2022 - Feb 2023 time period. A slight inconsistency from the previous screenshot, but okay.
On 25 Feb 2023 I received an ‘internal server error’ response from the Coinbase Pro REST API. The 100% uptime report is looking less and less believable.
These three pieces of evidence are not all telling the same story. To me and other users of the REST API, this is a big deal. You directed me to https://status.pro.coinbase.com as an explanation for the 401 and 500 error codes. The fact is that I am receiving many more error codes than what is being reported. I don’t understand how serving clients ‘Internal Server Error’ and ‘Invalid API Key’ counts as 100% uptime. Just because the service is active 24/7 does not mean that it is functional.
I would be very disappointed if Coinbase was not already tracking the large quantity of ‘Internal Server Error’ messages flowing out from its REST API service. Based on the reports from the official status website, they are not.
Above is a screenshot of my logs from earlier this month. I was logging this information specifically because I was receiving mysterious 429 codes and I wanted to ensure my code was not the source of the issue. I sent out no more than 1 request per second and this is still how my code operates today. If it is true that I am allowed 10 requests per second (15 in burst), there is no explanation on my end why I am receiving a 429 rate limit error.
Hi @tripster202! We sincerely apologize for the inconvenience this may have caused you and thank you for providing more information about the error that you have encountered. Rest assured that we already communicated this with our internal teams to look further with your concern. We will inform you once we have an update.
We appreciate your patience and understanding. Have a great day!
Hello @tripster202! Apologies for the inconvenience that this has caused you, please know that our internal teams are still hard at work to resolve this concern. Rest assured that we already communicated this with our internal teams to look at further investigation with your concern. We will let you know once we have an update. We appreciate your patience and understanding. Thank you!
Hi @tripster202! We sincerely apologize for the delay in our response. We would like to ask if you are running more than one process on your machine? Based on the information we gathered from our internal team, we have a larger limit at the IP level which you may be hitting. For example, if you have several processes running that are all hitting these endpoints, they will run into our global limit by IP and receive a 429 error.
Hope to hear from you soon. Thank you and have a nice day!
The one instance that I do have making HTTP calls to the Coinbase Pro API is not multi-threaded or multi-processed. I can log any additional information that may be helpful.
What I do wonder now that you mentioned IP addresses is whether or not my cloud provider shares a single public IP addresses across multiple VM instances. If any other user under the same IP address is making calls to the same API, that could give us both rate limit errors, even though each of us on our own are not violating the rate limit.
I will investigate this more today and look into reserving my own public address.
From Linode, the Cloud Service Provider I use to interface with the Coinbase Pro API:
The public IPv4 address assigned to your Linode is only used by your Linode and is not shared. We do impose rate-limiting on our API to prevent abuse, though only our larger clients ever run into this sort of limitation. As you’re using a 3rd party API, I recommend consulting their documentation to see if the rate limiting is occurring on their end.
So the following question is answered…
And the answer is Linode does not share public IP addresses across multiple users. All traffic coming from my IP address is coming from me alone.
I’m happy to provide any other pieces of evidence that can help narrow down the issue. If this issue is originating on my end, I have no problem with exposing it. I will say that I have not seen a 401 or 500 error code in over a week although the 429 rate limit errors are still coming in several times per day.
Hi @tripster202! Thank you for getting back at us with the information we have requested. We’ll endorse this information accordingly with the relevant teams that are handling your concern, so it could further help in their investigation.
We’ll get back to you once we have an update. Keep in touch!
I am STILL receiving a ridiculous amount of 429 error codes from the Coinbase Pro API. Is there any progress on this issue? Any information to share at all?
Again, there is no reason why I should be receiving rate limit errors. I’ve confirmed my code and my logging procedures multiple times and I send out no more than 1 request per second. This is far below any Coinbase rate limit.
Please let me know what progress the team has made so far in regards to identifing the source of this issue. I am happy to share any additional information that may help.
Hi @tripster202 ! Our apologies if our response about your concerns is taking longer than usual. Please be informed that our team was already informed about your concern and from the last communication, they were working on it. We also reiterated this to our internal teams to obtain any updates regarding this matter and will update you as soon as we hear from them.
We appreciate your utmost patience and understanding. Have a great day!
I’ve always received the 401 and 500 codes intermittently and work around them. The 429 code is not something I see. Always in this case refers to a term dating back to 2021.
Their servers just struggle.
I have run coinbase pro API for many years now with a now bulletproof websocket connection. What I suspect that can happen is a third party watches your traffic and sends fake public API requests with forged headers in order to get your stuff to error out. All they need is access to a server between you and the destination. They can also attack your internet connection itself, and I have proof of this by the forged control messages that they send to my router, attempting to look like real ISP reset signals. There are layers of hackers who get paid by third party interests to do these attacks during market turning points. Even if they do not know who they are attacking specifically, they know that by doing this, it frustrates the traders and allows the banks to keep more profit. For example, if they can ‘disconnect’ many traders feeds during large market buying moments, they can guarantee to get the best prices without any competition. Once you start to think this way you will realize security is the number one issue with crypto trading and managing that on your own servers is the best situation. Working on cloud based platforms is not the best when you do not have access to the exact systems being effected by these attacks, mostly because you won’t have proof of what is actually happening.
Another thing to look out for is the responses to your public timeserver sync requests. What I mean is the servers that your machine uses to get atomic time. Many of those public servers are compromised, and will toss out a junk time every now and then to set your clock wrong. Then with a wrong clock your connection attempts are disturbed and your local processing is out of order. If your system is tracking API requests with absolute time, it will lose absolute count in the moment when the time is set wrong. These are just some of the issues I have sorted through in order to get a connection going long-term. Make sure to use relative time with request counting! Also avoid any other outgoing web contact from your machine other than what is strictly necessary for the API. This is the best security tip I have.