API (Web Services) Throttling

To increase the performance and reliability of the system, throttling is implemented.

Throttle limits are for each environment. For example, if an API has a limit of 1,000 requests per hour, that means you can make 1,000 requests each in Pilot, Stage, and Production environments.

If a request is made after the throttle limit is reached, Cornerstone will respond with the following HTTP 429 error:

  • Cornerstone recommends that your applications queue such requests until the throttle limit duration has passed after which the request can be re-sent.

The throttling limits vary per API and are listed in the specific documentation for the API within the API Explorer.

To access the API Explorer, go to Admin > Tools > Edge > API Explorer. API Explorer can also be accessed directly at the following URL: http://apiexplorer.csod.com

REST APIs

The throttling limit for REST APIs varies by endpoint. Please check the documentation in the API Explorer for additional details. For example, the following throttling limits exist:

  • Employee API v1
    • GET (Single User) - 6K/hour
    • GET (Bulk) - 3K/hour
  • Employe/OU API (v2)
    • GET (Single User) - 9K/hour
    • GET (Bulk) - 4.5K/hour
  • Reporting API
    • GET - 24K/hour
  • Cornerstone API (Foundational APIs)
    • The throttling limit across all Foundational APIs is 25,000 requests per hour. Note that certain Foundational APIs, such as the Proxy Enrollment API, have distinct throttling limit which are specified in API Explorer.

SOAP APIs

To provide better API functionality and experience, Cornerstone has migrated almost all APIs to REST APIs.

The maximum request rate for all SOAP services is 35K requests per hour per organization, meaning that an organization cannot make more than 35K requests within an hour. Other limits include:

If the request count exceeds the request threshold, the SOAP API does not execute any action, and "Throttle rate exceeded" is displayed in the API response. The request count is reset an hour after the initial request.

This only impacts organizations using SOAP APIs.