Securing Identity Verification: API Rate Limits and Throttling

Protect Against AbuseRate limiting and throttling are essential defenses against Denial-of-Service (DoS) attacks, brute-force attempts, and credential stuffing on sensitive identity verification APIs.

Ensure System StabilityBy controlling the volume of requests, these mechanisms prevent API overload, ensuring consistent performance and resource availability for legitimate users.

Maintain Data IntegrityPreventing excessive requests helps safeguard the integrity of identity data and the accuracy of verification processes, such as those involving ID Verification and Liveness Checks.

Didit's Multi-Layered DefenseDidit implements comprehensive global and endpoint-specific rate limits, along with clear X-RateLimit headers and client guidance, to secure its identity platform effectively.

The Critical Role of Rate Limiting in Identity Verification

In today's digital landscape, identity verification is paramount for trust and security. Businesses rely on APIs to perform critical checks like ID Verification, Liveness Detection, and AML Screening. However, these powerful endpoints are also prime targets for malicious actors. Without proper safeguards, they can be exploited for data theft, fraud, or simply to disrupt services through Denial-of-Service (DoS) attacks. This is where API rate limiting and throttling become indispensable.

Rate limiting is a strategy to control the number of requests a client can make to an API within a given timeframe. Throttling, a related concept, involves dynamically adjusting the rate of requests based on system capacity or predefined limits. Together, they form a crucial line of defense, ensuring that your identity verification infrastructure remains stable, secure, and available for legitimate users. Imagine a scenario where an attacker attempts to brute-force millions of identity checks using stolen credentials; without rate limits, this could quickly overwhelm your systems, leading to service outages and potential data breaches. Didit, with its AI-native identity platform, understands these challenges deeply and bakes multi-layered rate limiting directly into its architecture.

Understanding Global vs. Endpoint-Specific Limits

Effective rate limiting requires a nuanced approach, distinguishing between general API usage and high-impact operations. A one-size-fits-all limit can either be too restrictive for common operations or too lenient for resource-intensive ones. Therefore, a robust system employs both global and endpoint-specific limits.

Global Limits

Global limits apply across broad categories of API requests. For instance, Didit implements global limits of 300 requests per minute per application for all GET endpoints and another 300 requests per minute for all write/delete endpoints (POST, PATCH, DELETE). These generic ceilings provide a fundamental layer of protection, acting as a guardrail for overall API consumption. They are designed to prevent widespread abuse without unduly impacting normal operational flows.

Endpoint-Specific Limits

Beyond global limits, certain API operations are inherently more resource-intensive or sensitive, warranting stricter controls. Didit's platform defines additional, more restrictive scopes for such high-impact operations. For example:

• session-v2-create (POST /v2/session/): This endpoint, crucial for initiating identity verification workflows, has a dedicated limit of 600 requests per minute. This ensures that while session creation is frequent, it doesn't overwhelm the workflow orchestration engine.
• session-decision (GET /v2/session/<id>/decision/): Retrieving session decisions is throttled to 100 requests per minute. This prevents excessive polling that could strain database resources, particularly important for real-time results from processes like ID Verification and AML Screening.
• session-generate-pdf (GET /session/<id>/generate-pdf/): PDF generation is a CPU-bound operation, and thus limited to 100 requests per minute to manage computational costs and ensure responsiveness.

This tiered approach allows for fine-grained control, optimizing performance and security across the entire identity verification lifecycle.

Client-Side Best Practices for Handling Rate Limits

While API providers implement robust rate limiting, clients also play a crucial role in respecting these limits and building resilient applications. When an API returns a 429 Too Many Requests response, it's not a failure but an indication to adjust your request pattern. Didit's API, for instance, includes critical headers in 429 responses to guide clients:

• X-RateLimit-Limit: The maximum number of requests allowed in the current window.
• X-RateLimit-Remaining: The number of requests remaining in the current window.
• X-RateLimit-Reset: The time (in epoch seconds) when the current rate limit window resets.
• Retry-After: Specifies how long to wait before making a new request.

To build a robust integration, clients should:

1. Monitor Rate Limit Headers: Actively watch X-RateLimit-Remaining and begin throttling requests when it drops below a certain threshold (e.g., 15% of X-RateLimit-Limit).
2. Implement Exponential Backoff: For 429 responses, do not immediately retry. Instead, implement an exponential backoff strategy, increasing the delay between retries (e.g., 5s → 10s → 20s → 40s). This prevents overwhelming the API further and allows it to recover.
3. Log and Alert: Log instances of 429 responses and triggered retries. This helps identify sustained bursts or potential issues in your application's request patterns, allowing your team to investigate and optimize.

Adhering to these practices ensures your application integrates smoothly and reliably with identity verification services, even under varying load conditions.

How Didit Helps Secure Your Identity Workflows

Didit provides a comprehensive, AI-native identity platform designed from the ground up with security and scalability in mind. Our multi-layered rate limiting is just one example of how we protect your operations and sensitive user data. With Didit, you benefit from:

• Robust API Protection: Our global and endpoint-specific rate limits safeguard against abuse, ensuring stability for critical services like ID Verification, Passive & Active Liveness, 1:1 Face Match, and AML Screening & Monitoring.
• Orchestrated Workflows: Our no-code Business Console allows you to design complex verification journeys, and our backend intelligently manages the underlying API calls, respecting all limits. For example, when generating Verification Links or Unilinks, the system handles session creation and subsequent checks efficiently.
• Developer-First Approach: Didit offers clean APIs and comprehensive documentation, including detailed guidance on rate limiting, enabling developers to build resilient integrations from day one. Our modular architecture means you can plug-and-play identity checks without worrying about the underlying infrastructure.
• Scalability and Reliability: By proactively managing API traffic, Didit ensures high availability and performance, even during peak loads. Our AI-native platform is built to scale globally, handling millions of verifications without compromising on security or speed.

Didit's commitment to security extends beyond rate limiting, encompassing features like Free Core KYC, no setup fees, and a pay-per-successful-check model, making robust identity verification accessible and efficient for businesses of all sizes.

Ready to Get Started?

Ready to see Didit in action? Get a free demo today.

Start verifying identities for free with Didit's free tier.