1. Applied Rate Limits

• Primary Limit: 400 requests per minute per user account (API token).
• Enforcement Scope: Limits are applied per user account (API token), not per IP address.

2. IP Banning Policy

• No IP-Based Banning in R3 API: With the transition to the TP R3 API, rate limiting and bans are no longer applied based on IP addresses. The system now tracks usage and applies restrictions solely per user account (API token).

3. Circumstances Leading to Bans (Token-Based)

• Exceeding Rate Limits: If a user’s token exceeds 400 requests in a minute, the system may temporarily ban the token.
• Automatic Unbanning: Bans are temporary. The ticket mentions users are automatically unbanned after approximately 10 minutes.
• Distributed Systems Issue: Users running distributed systems (e.g., Kubernetes clusters) from multiple nodes/IPs but using the same API token can trigger bans because all requests are aggregated under one token, regardless of the source IP.
• Token Misuse: If a token is compromised or misused, ENTSO-E reserves the right to revoke the token.

4. Recommendations for Users

• Monitor Aggregate Request Rates: Ensure all requests from distributed systems using the same token stay under 400 req/min.
• Implement Client-Side Throttling: To avoid bursts, clients should implement throttling (e.g., 6–7 req/sec on average, with burst handling).
• Regenerate Tokens if Compromised: If unusual activity is suspected, regenerate the API token.
• Provide Detailed Logs: When reporting issues, include:
  • User account/email associated with the token.
  • Exact timestamps of 429 errors.
  • Request counts per minute from the token.