Today we’re announcing new tools to help us better identify the API calls that your app makes to Instagram. These new tools will bring more consistency and stability to your app since our systems will now have a stronger understanding of the calls that you make, enabling us to help support you in the best way possible. As part of these new tools, we are also introducing a new method for rate-limiting POSTs made to our platform which will go into effect on July 7, 2014.
Disable Client-Side (Implicit) Authentication
Enforce Signed Header
In order to help us better verify the identity of your app as the source of API calls being made on behalf of your OAuth Client, we have also added support for a new HTTP header which signs your API requests. By enabling the new Enforce signed header setting on your OAuth Client configuration, we will verify the signature in the X-Insta-Forwarded-For HTTP header and reject any API calls that do not match. As with disabling client-side authentication, we encourage all developers with server-side apps to begin securing their API calls with this HTTP header.
Revised Rate Limits on POSTs
On July 7, 2014, we will introduce a new method for rate-limiting POSTs made to the Instagram Platform in which a different set of rate limits will be applied based on whether your app is issuing signed requests or not. Under this new model, we will provide an elevated set of rate limits for apps that secure their OAuth Clients by performing the two following actions:
- Disabling Client-Side (Implicit) Authentication
- Signing all POSTs and DELETEs to Instagram Platform with the X-Insta-Forwarded-For HTTP header
The following new rate limits will go into effect on July 7, 2014:
Unsigned Calls (per OAuth token):
- POST /media/media-id/likes: 30/hour
- POST /media/media-id/comments: 15/hour
- POST /users/user-id/relationships: 20/hour
Signed Calls (per OAuth token):
- POST /media/media-id/likes: 100/hour
- POST /media/media-id/comments: 60/hour
- POST /users/user-id/relationships: 60/hour
Support for HTTP 429 Status Code
In order to provide more clarity when a rate limit condition has been hit, we will begin returning the HTTP status code 429 (Too Many Requests) for calls that exceed the rate limit for a particular endpoint. The following changes take effect today:
- Requests with user tokens that exceed a rate limit will now return HTTP status code 429 (previously 400)
- Requests that exceed the global rate limit for a client ID will return HTTP status code 429 (previously 420)
Lastly, we have updated our Python and Ruby libraries to add support for the new X-Insta-Forwarded-For HTTP header as well as the new HTTP 429 status code. These updated libraries can be found on our developer site.