Question
The CDS Traffic thresholds section specifies that each of the secure and public traffic thresholds is 300 TPS.
Does this mean that a Data Holder (DH) could limit the access to either their secure or public APIs if they go above 300 TPS?
This might allow six busy ADRs (Accredited Data Recipients) or worse, a nefarious public API consumer, to exhaust this capacity and prevent other users from access these endpoints.
300 TPS seems like a particularly low general limit for API access. For secure APIs it would seem the 50 TPS per ADR would more than protect a DH from misuse.
For the public APIs (which are all readily cacheable), 300 TPS across the entire unauthenticated masses of the internet also seems extremely low.
Answer
NFRs are binding since CDS 1.13.0. 300TPS represents close to 25.9m API calls per day per DH. This provision gives a ceiling to the number of requests so that DHs can right-size their implementations. This is a starting point, non-binding, and subject to review.
For reference, the total daily API volume in the UK in February 2021 was 23.9m API calls across 19 brands (~1.26m / brand / day). The threshold of 300TPS would accommodate this traffic, indicating that is not too low a limit.
The thresholds allow a DH to limit the access to either their secure or public APIs if they go above 300 TPS. DHs are within their rights to limit an ADR's access if they deem it to be unreasonable traffic or suggestive of a DoS.
For Customer Present and authorisation traffic the following traffic thresholds apply:
- Unlimited sessions per day
- 10 TPS per customer
- 50 TPS per data recipient
For Unattended traffic the following traffic thresholds will apply for low traffic periods:
- 20 sessions per day, per customer, per data recipient
- 100 total calls per session
- 5TPS per session
- 50 TPS per data recipient
For public clients, banks can use their discretion to rate limit based on known public clients if they believe a single client is unreasonably exhausting capacity.
Comments
0 comments
Please sign in to leave a comment.