Skip to main content

Overview

To ensure fair usage and maintain system performance, the Snippets AI API implements rate limiting specifically for invalid API key attempts.

Invalid API Key Block

20 invalid attempts within a rolling window will result in a 5-minute block for that API key.

General Rate Limit

There is no general rate limit for valid API requests. You can make as many valid requests as needed without encountering rate limiting errors, provided your API key is valid and has the necessary permissions.

How the Invalid API Key Block Works

This security measure helps prevent brute-force attacks on API keys:
  • Each API key has a counter for invalid access attempts.
  • If 20 invalid attempts are detected within a short rolling window, the API key will be temporarily blocked.
  • The block lasts for 5 minutes, after which the key is automatically unblocked, and the counter resets.

Invalid Attempt Criteria

An “invalid attempt” is counted when:
  • An API request is made with a non-existent API key.
  • An API request is made with a valid API key, but it lacks the necessary permissions for the requested resource (e.g., wrong team ID).

Checking Your API Key Status

Blocked API Key Errors

When your API key is temporarily blocked due to excessive invalid attempts, you’ll receive a 403 Forbidden response (or similar, depending on exact implementation): 
{
	"success": false,
	"message": "Too many invalid API key attempts. This API key has been temporarily blocked for 5 minutes."
}
This response may also include a Retry-After header with the number of seconds until the block is lifted.

Handling Invalid API Key Blocks

Exponential Backoff (Modified)

If you encounter a 403 Forbidden error specifically related to an API key block, you should cease attempts for the specified Retry-After duration. If no Retry-After is provided, assume a 5-minute (300-second) wait. 
const axios = require('axios');

async function makeRequestWithBackoff(url, options, maxRetries = 3) {
	for (let i = 0; i < maxRetries; i++) {
		try {
			const response = await axios(url, options);
			return response.data;
		} catch (error) {
			if (
				error.response?.status === 403 &&
				error.response?.data?.message?.includes(
					'Too many invalid API key attempts'
				)
			) {
				// Get retry-after from header (in seconds), default to 300 (5 minutes)
				const retryAfter = parseInt(
					error.response.headers['retry-after'] || 300
				);

				const waitTime = retryAfter * 1000;

				console.log(`API key blocked. Waiting ${waitTime / 1000} seconds...`);
				await new Promise((resolve) => setTimeout(resolve, waitTime));

				// Retry the request after the block period
				continue;
			}

			// Re-throw other errors, including other 403s (e.g., permission issues)
			throw error;
		}
	}

	throw new Error('Max retries exceeded for API key block');
}

// Usage
const result = await makeRequestWithBackoff(
	'https://www.getsnippets.ai/api/prompts/snippet',
	{
		method: 'GET',
		headers: {
			Authorization: `Bearer ${API_KEY}`,
		},
		params: { id: 'snippet_id' },
	}
);

Best Practices

Always ensure you are using a valid and active API key. Double-check your key and its permissions in the Snippets AI dashboard.
Distinguish between different 4xx errors. A 401 Unauthorized means a generally invalid key, while a 403 Forbidden might indicate a temporary block if the message specifically mentions “Too many invalid API key attempts”.
Do not repeatedly try invalid API keys. This will lead to temporary blocks.
Regularly monitor logs and error reports from your applications to quickly identify if an API key is being blocked.

FAQs

No, there is no general rate limit for valid API requests. You can make as many valid requests as your account quota allows.
Your API key will be temporarily blocked for 5 minutes after 20 invalid attempts. During this time, all requests with that key will fail.
No, requests made with a temporarily blocked API key do not consume from your API request quota. However, invalid attempts that lead to the block do count towards the 20-attempt limit.
Repeated and excessive attempts to bypass the security block may lead to a permanent ban of the API key or even the associated workspace. We recommend resolving the underlying issue rather than repeatedly hitting the block.

Need Help?

If you’re having trouble with API key blocks:

Contact Support

Get help from our team