Home

Conversation

$$16146
https://social.coop/users/smallcircles posted on Mar 22, 2026 20:08
In reply to: https://activitypub.space/post/1641

@evan

> Rate limits are a common part of APIs.

Yes, of API *implementations*, and they may become part of the public interface of these implementation. Whether they should be part of an open standard protocol specification is a different matter imho. Perhaps in a separate implementation guide, suggesting recommended practices.

Or perhaps there may be some way to formulate a generic mechanism in the protocol specification that makes rate limits an extension point, without pinning to a particular method, esp. if it is only a de facto standard.

(Other example. The fediverse is still pinned to an expired draft of HTTP signatures.)

OTOH if the goal of the task force is to mostly just provide implementation guidance, and maybe a reference impl, then I guess examples of rate limiting may be provided.

@julian

https://social.coop/users/smallcircles/statuses/116274632996483178
Reply
$$16153
https://social.coop/users/smallcircles posted on Mar 22, 2026 20:29
In reply to: https://social.coop/users/smallcircles/statuses/116274632996483178

@evan @julian

For example as far as I am aware XMPP does not dictate how to deal with rate limits, though there's an optional non-final XEP on stream size (which is different). However, Prosody IM does implement rate limiting, explain the confi in their docs.

CloudEvents also says nothing about rate limits. But it has a guideline on how to implement Webhooks with HTTP + Websockets. It specifies that 429 Too Many Requests is returned, plus a Retry-After http header. This spec also mentions:

> This specification aims to provide such a
definition for use with CNCF CloudEvents, but is considered generally
usable beyond the scope of CloudEvents.

What is nice wrt CloudEvents is how the protocol spec clearly distinguishes various extension points:

- adapters
- bindings
- formats
- extensions

https://social.coop/users/smallcircles/statuses/116274718079331293
Reply
$$16154
https://cosocial.ca/users/evan posted on Mar 22, 2026 20:41
In reply to: https://social.coop/users/smallcircles/statuses/116274718079331293

@smallcircles @julian the point of the API task force is to make using the API across servers possible. That's why we're doing the OAuth work. I think rate limiting is part of the basic profile; it's one of the things you need to support to use the API across different servers.

https://cosocial.ca/users/evan/statuses/116274763446935703
Reply
$$16185
https://cosocial.ca/users/evan posted on Mar 22, 2026 22:02
In reply to: https://activitypub.space/post/1641

@julian There are 3 main clusters.

They're linked here for the ActivityPub API task force, but they also apply for the federation protocol:

https://github.com/swicg/activitypub-api/issues/4#issuecomment-4083573914

https://cosocial.ca/users/evan/statuses/116275080781185862
Reply