Use the revoked token and get incorrectly 429 code

I got the correct token in my app first and then revoke the account on LIFX cloud. I use the old token to try to get list, LIFX cloud return 429 code to me.
According to the table, I think the code should let me know the account has revoked not 429 too many requests.

Update: sorry, my mistake. I have found the unauthorized 401 code in return data.
Update 2: I found I sometimes get 401 and sometimes 429.

You’re right, there are two things going on here.

  1. When a token is revoked you will get a 401. We don’t differentiate between non-existant, malformed, or revoked tokens. They’re all “unauthorised”.
  2. When you make more than 120 requests in 60 seconds we refuse to process your request and instead return a 429. Please keep within this limit to ensure everyone using the HTTP API gets a fair distribution of resources.

The reason why you’re sometimes getting a 401 and sometimes getting a 429 is because we apply rate limiting before we perform authorisation.

At any rate, you can get yourself going again by creating a new token.

It’s definitely possible to get a 429 without making a large number of requests. I can get it on the very first request.

If I do:

curl -H "Authorization: Bearer MY_TOKEN" ""

then everything is fine, as you would expect, and I get back a JSON listing of my lights.

But if I do:

curl -H "Authorization: Bearer MY_TOKEN_WITH_ONE_DIGIT_CHANGED" ""

then I get:

  "error": "Too many requests. Try again later."

every single time, even if I haven’t made any requests in the last few minutes.

This doesn’t pose any problem, but it seems weird.

1 Like

Nice find, that is weird. I’ll investigate further and get back to you.

ppelleti, thanks for your proof.

tatey, We are waiting for your reply.

We have confirmed the issue. It is due to our rate limiting treating all unauthorized requests as the same account. So we were allowing only 120 invalid token requests globally before triggering the rate limiting. Clearly this is a mistake and we are working on a fix as we speak.

We expect to have the fix in production by the end of the day in Melbourne (about 3 hours from now).

This fix has now been deployed. There are now two rate limits.

  1. A new rate limit of no more than 30 invalid tokens every minute per ip address.
  2. The rate limit of 120 requests per minute per account for each oauth application.

Please give it a test and let us know how well it works for you.

Hi Dan,

I test many times and get the correct 401 code.
thanks a lot.

You are welcome, thanks for reporting the issue to us. I’m sure that has probably confused a lot of people.