QualysGuard API limits exposed in the HTTP header

Document created by Eric Perraudeau on May 10, 2011Last modified by Eric Perraudeau on Mar 25, 2015
Version 4Show Document
  • View in full screen mode



There is a new interesting feature available for the API v1 and v2 frameworks: each and every response returned back by the API exposes your API limits in the header.

For instance you can try: curl -D header.txt -u user:pass 'https://qualysapi.qualys.com/msp/about.php'


And the file header.txt will return something like:


HTTP/1.1 200 OK

Date: Tue, 10 May 2011 21:17:37 GMT

Server: qweb/4.0h.QEL4

X-RateLimit-Limit: 300

X-RateLimit-Window-Sec: 86400

X-Concurrency-Limit-Limit: 2

X-Concurrency-Limit-Running: 1

X-RateLimit-ToWait-Sec: 0

X-RateLimit-Remaining: 299

Transfer-Encoding: chunked

Content-Type: application/xml


Some explanations:

X-RateLimit-Limit: 300 means that your subscription is configured to allow 300 calls per API calls/functions (in this example, about.php can be called 300 times, independently of the other API calls that are performed with the same account) during the sliding window provided below (X-RateLimit-Window-Sec)


X-RateLimit-Window-Sec: 86400  is the sliding window (in seconds) for the parameter above. 86400 seconds is 24 hours.


X-ConcurrencyLimit-Limit: 2 means you can launch the same call 2 times at the same time


X-ConcurrencyLimit-Running: 1 means only one call is currently running


X-RateLimit-ToWait-Sec: 0 means you've not been blocked, so you don't have to wait before launching a new call

X-RateLimit-Remaining: 42 means you still have 42 requests available for this API call for the time that remains in the sliding window

If for some reason you are blocked, you get a 409 HTTP error and you can figure out what is the root cause of the problem in the header or the response (either concurrency limit reached or too much calls so you need to wait X-RateLimit-ToWait-Sec seconds).


For more information, please refer to the API user guides available here: https://discussions.qualys.com/community/developer


This document was generated from the following discussion: QualysGuard API limits exposed in the header

1 person found this helpful