Request method limitations

Hey Freshworks team,
We are developing Freshdesk application and starting to work with requests to 3rd party sources. Documentation says that there is a limit of 50 requests per account per minute. Based on this information we have several questions answers to which we were not able to find in documentation or in other portal topics

1. What requests are included in this 50 limit? Are there only requests made with Request method or any other invocation of Freshdesk API included?

2. Does requests fired using simple fetch or axios included in this limit?

3. What advantages Request method gives in comparison to fetch or axios invocations? Is it only security advantages or is there something else? If we are not exchanging any passwords with 3rd party resources are we OK with using fetch or axios?

4. and the most interesting one: I’ve tried to test Request method rate limits locally and wasn’t able to do that. I used the code below, and all 100 requests came back with 200 responses in terms of 50 seconds. How is that possible?

setInterval(() => {
        if (timesCalled < 100) {
          client.request.invokeTemplate("customerLookup", {
            context: { term: "test_term" },
          });
        }
      }, 500);

5. With every request fired using Request method locally I see one failed request in network tab right before successful POST request. Is that intentional or smth is broken? (see screenshots below)

image1144×512 163 KB

image882×848 81.5 KB

I hope all these question make sense!
Let me know if I’m missing something

Hope to hear from you on these questions soon!
Vitalii!

Hello @Vitalii_Sukhostavsky

I agree that we could benefit from a dedicated page discussing rate limits as part of our documentation. For now, I would request you to refer to this - Get assistance in extending platform rate limits for your apps

Let me try to address your questions meanwhile.

Only requests made with the Request method are counted against this limit. If your app makes an API call to Freshdesk without using the Request method somehow, then that is not counted against this limit.
Note: Freshdesk APIs will manage their own separate rate limits as per your account subscription.

No, these are not counted toward the limit.

As mentioned here - Freshworks Developer Docs | Freshworks app ecosystem - securing the secrets your app uses to make the API calls and overcoming CORS restrictions are the two major advantages to using Request Methods. A third advantage would be that the requests would originate from a predictable set of static IP addresses, which helps with systems that need to trust the origin via IP address allow-listing. You are free to use fetch or axios if you don’t need to leverage these advantages.

The rate limits aren’t enforced on localhost They will only be enforced once the app is published and installed.

I believe this is expected, but I will find someone who can confirm the same. Thanks for bringing this up!

Hey @satwik
thanks a lot for your answers, they were really helpful!

The only follow-up question I have is where can I take a look at Freshdesk API rate limits per account subscription info you were mentioning in your answer?

Vitalii!

Hello @Vitalii_Sukhostavsky

Is this article helpful?

Hey @satwik
Yes, thats exactly what I’ve been looking for, thanks a lot!!!

After discussing these main 3 advantages of using Request method with the team the only question that is popping to our heads is the first advantage you mentioned: ‘securing our sectrets’.

Can you please explain what kind of potential security problems Request method fixes?
Is there something different in terms of security between using fetch or axios in our application here and using these methods in a simple standalone React application? Any additional data leak risks?

Any information regarding this topic would be helpful for us to decide which way to go, cause rate limits of the Request method does not fit us at all!

Thanks in advance,
Vitalii

@kaustavdm cc-ing you here as discussed with my teammate previously

The challenges and security risks that Request Method solves are primarily for the browser environment. Given that the Request Method can send HTTP requests initiated by the app through our internal HTTP proxy, you don’t hit CORS limitations when calling external services. If you combine iparam templates with your request method call, the template substitutions happen at the proxy layer. Anyone tracking the requests from the browser devtools sees no sensitive information.

This security posture is made one step better with platform 2.3’s Request Templates, with which even the schema of the HTTP request is abstracted in configurations.

Plus, you get well-known static IP egress with Request Method, which is useful when integrating with external services that allow only specific IP ranges. And OAuth client requests are just a matter of toggling an option in the request.

You can still use axios or fetch or other HTTP clients from the frontend if the API you call provides Access-Control headers to bypass CORS and if the API does not need authentication or authorization information. This does not apply to most production APIs since they have some form of access control.

Using axios or fetch from serverless functions does not hit these security limitations as an end user cannot access the environment in which serverless functions run. But you don’t get the static IP egress option.

Thanks a lot @kaustavdm. This information cleared a lot in my head!
Looks like we will be ok with using simple axios requests!

Have a case where I first need to get a bunch of tickets tags using the ?include then update the same tags using the request method which hits the 50 req limit rather quick.

Was searching for another solution and I found this.

Did this approach work for you @Vitalii_Sukhostavsky ?

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.