Instagram changed the way it rate limits like, comment and relationship endpoints in its API recently...you can sign API POST requests with an HMAC hash of your client secret and app IP address. I am doing this successfully. I know this because I get a 403 error message if I don't include the a properly hashed X-Insta-Forwarded-For header; get a 200 success message if it is included).
Still, I'm being rate-limited to 30 "like" calls per hour (the limit for unsigned requests); 100 is the limit for signed requests. Anyone know why this might be?
Updated docs are here: http://instagram.com/developer/restrict-api-requests/
and
here: http://instagram.com/developer/limits/
Apparently my Instagram client credentials had been flagged by Instagram, and they were limiting me based on past behavior of my app. I registered a new client with Instagram here: http://instagram.com/developer/clients/manage/, re-authenticated with the new app, plugged the new secret into my code to sign my requests, and I was able to like 100 IG posts within an hour. Good to go!
I faced the same problem and I managed to solve it by simply revoking app token from user panel. No need to create new app.
Related
I'm a little confused on how authentication works in Instagram. I want to display Instagram posts on a widget. But if I manually generate a single access_token I'm worried about hitting the limit (5000/hour) as it is a large web application.
Here's what I'm thinking: Have each user authenticate with their Instagram account and store their access_tokens and use the tokens to query Instagram's API. So essentially each user will be presented with Instagram posts queried using their access_token. And if the token expired for whatever reason I can easily have them re-authenticate. I need each user to authenticate anyway for other purposes.
I am not sure if the server could re-authenticate while providing a seamless experience for users.
Is this the right approach or is my thought process completely off?
EDIT: So I decided to have each user authenticate and call the Instagram API with each user's access_token. Everything has been working great. However, while testing the authentication one of my test accounts, I received this message "We noticed some unusual activity on your account. We'll send you a security code to verify your account." Are my API queries seen as unusual by Instagram if I'm querying public posts by tag for example? I'm worried my approach will cause end users to have to verify and ultimately make my application viewed as spam.
EDIT: I was hoping an Instagram API expert could offer advice on this topic. My application has been continuously querying for posts without issue. So for now I'm sticking to having each user authenticate and call the API using their access_token. I may have given the wrong impression when I said the Instagram posts would be on a "widget". I didn't mean a simple Instagram feed on a website. So if anyone has used the Instagram API for large amounts of querying for their application, please share your approach if possible!
If the access_token is invalid, you will get an error response like this:
{"error_type":"OAuthAccessTokenException","code":400,"error_message":"The access_token provided is invalid."}
check for this and ask user to login again
I have a php script to follow the followers of famous person, this script uses instagram api to do this.
When the script runs, it follows few persons of the overall list of users. How can I increase the "20" limit of this request ?
Any idea ?
Instagram just changed their limits, I have a website: http://instapromobiz.com that can follow/unfollow 60 users an hour.
You must first disable implicit (client side) authentication and then enforce signed headers in your client manager. Then when making a request sign your headers. See here:
http://instagram.com/developer/restrict-api-requests/
I am getting this error whenever I try to follow someone on Instagram via API no matter how many follows have been done before:
{"meta":{"error_type":"APIError","code":400,"error_message":"Client request limit reached"}}
My app allows authenticated users to follow interesting people. I know that there is a 5000 call/hour limit per authenticated user, but it fails even with new users.
Do my app is reaching some kind of client level limit?
APIs like follow, unfollow, comment are limited to 350 requests per hour. However sending requests from client side will fix this problem to some extent but it allows the users to see your API token.
In this case it looks like it would be beneficial to get some more data from your users. You could use Google analytics to track the "follow" action
https://developers.google.com/analytics/devguides/collection/gajs/eventTrackerGuide
This would give you a timestamp and information about user behavior.
Even with an advertised rate of X requests per hour, one user hammering the service with your API key can cause everyone to get throttled. (Not guaranteed, but pretty common practice for companies to keep their services alive)
It might be a good idea to reset your API, its possible (though unlikely) that someone has acquired your key and is using it.
Well, pretty much what it says on the tin.
I'm really curious about how pages like Statigram do their search functionality without users authentication and not exceeding the limits?
If I'm correct, Instagram API allows 5000 calls per hour, so I believe it's very likely that they indeed have more traffic than 5000 requests per hour.
Maybe It's a dumb question and Statigram has a special deal with Instagram to use their API or maybe they don't use the API and they use some other method?
The only special request you have to send to Instagram is the request to post comments.
The API limit is 5000 requests per hour per access_token or client_id. Every user has their own access_token, so as long as the requests from the third party application uses each individual access token, they will be hard pressed to exceed 5000 per user per hour.
That works out to 83 requests per minute and any user interacting with your application is highly unlikely to hit that.
From the docs:
You are limited to 5000 requests per hour per access_token or client_id overall. Practically, this means you should (when possible) authenticate users so that limits are well outside the reach of a given user.
If you are not using user authentication, you will likely hit the limit with just your client_id.
Most likely they're using one of the following methods:
An arrangement with Instagram
Credential rotation
IP rotation
Heavy caching (especially across credentials or IPs)
Screenscraping
In cases like this, if you don't have a special arrangement, you're almost certainly violating the terms of service. If you think your service is useful enough that Instagram would be willing to whitelist you to make more requests, get in touch with them.
They must have some sort of arrangement with Instagram as #RunscopeAPITools mentions. You are able to post comments to Instagram from Statigram, which requires special permission.
I've been building an app which allows the user to search through recent (i.e. 6-9 days worth) public tweets on Twitter using the Twitter Search API.
Currently, the site is entirely public - that is, users do not need to sign in to Twitter (or even be Twitter users at all) to use my app.
However, the upcoming changes to the Twitter API have left me confused, particularly the fact it would appear that every request to Twitter's API will need to be authenticated.
My limited understanding of how Twitter's API works is that I need to authenticate my app using OAUTH, which in turn means that, if I want to continue accessing the Twitter Search API, users will need to sign in to my site before they can use the functionality related to the Search API - hence, only Twitter users will be able to use that section of my app.
Am I understanding this correctly, or is the Twitter Search API exempt from the changes? If I authenticate my app, does this mean the rate at which users can search Twitter status updates through my app is increased (or any other advantages over having non-authenticated apps)? Note that I am currently implementing a caching feature to cache related searches.
Thanks!
The changes to the Twitter API would affect your application depending on how your application works. These are the changes that you should be aware of:
All requests used to be anonymous. Now, all requests must be authenticated via OAuth.
With the old rate limits, according to my tests, you where able to make about one request per second per IP address. Now you can make 180 requests per 15 minute block per authenticated user (1 request every 5 seconds on average).
Not related, but still worth mentioning, the data that the new API returns is more similar to the data that the Streaming API returns. It's much more complete.
So, according to these changes, if your application uses some kind of a bot which polls the Search API, stores the results into a database, and then your users search within these stored results; you will have to implement OAuth with your own access token, which you can get by creating an application at dev.twitter.com.
But, if your application connects to the Search API every time that your users interact with it, and you think that you will have to make more than one request every 5 seconds on average, then you will have to ask your users to authenticate in order to get their access tokens for your requests.