Rate limit Storefront api while using middleware

Jens_B
New Member
4 0 0

Dear Shopify Api expert,

we create multiple private apps to enable merchants to sell their products via their own native iOS and Android apps.


Based upon the documentation we have chosen to use the Storefront api for our integration. To be able to offer the users of the shopping apps a flawless experience, we use our own servers as middleware. This where we might encounter an issue with the api rate limit.

 

THE ISSUE
The origin of each request will be by a person using the shopping app (for example, a user registers herself in the shopping app). The intention of the rate limit is that this 1 person should not make too many requests.

However, because we use our servers as middleware, it will not be this persons's IP-nr that will be identified by Shopify, but the IP-nr of our server.

 

This is the issue we expect to encounter, because obviously many users from many apps will make many requests. When these are all identified as request by our server, all of our shopping apps will be disfunctional very soon becuase of exceeding the rate limit.

 

This is not the intention of the rate limit but might be the technical reality.

 

THE SOLUTION

 

What would you recommend:

a. Make a request to get your IP whitelisted, this where you can send the request to:...

b. Use the REST Api instead

c. Move all requests in the appcode, in spite of the tech downsides

d. Combine the above

e. Else,...

?

 

Many thanks in advance!

Jens

 

Replies 8 (8)

SBD_
Shopify Staff
1829 270 412

Hey @Jens_B,

 

Move all requests in the appcode, in spite of the tech downsides

This would be ideal - can you elaborate on the downsides?

 

Alternatively, consider using the Admin API (available in GraphQL and REST).

Scott | Developer Advocate @ Shopify 

Jens_B
New Member
4 0 0

Hello Scott,
many thanks for your fast reply. Good to know we can reach the right Shopify Staff via this channel.

 

To answer your question, we prefer to keep our code as plain and consistent as possible, and make all requests to 1 server only. It helps in maintenance and scalability. Using the REST Api seems the best option for us.

 

However, does the Rest Api facilitate user-login (passwords) as well?


Best,
Jens

Jens_B
New Member
4 0 0

Hi,

did you have a chance to look at my reply?

Cheers,
Jens

SBD_
Shopify Staff
1829 270 412

Hey @Jens_B,

 

we prefer to keep our code as plain and consistent as possible, and make all requests to 1 server only. It helps in maintenance and scalability.

I'm not sure I follow the logic. Wouldn't hitting the Storefront API be the same 'plain and consistent' code as hitting a private server? And given the requests (to Storefront API) would be sent from different IPs, this approach should help with scaling. Let me know what I'm missing 🙂

Scott | Developer Advocate @ Shopify 

Jens_B
New Member
4 0 0

Hi @SBD_ ,

that is true as long as we use the code to exchange data with the Shopify servers only. Will be glad to disclose more in detail, yet rather via a private message.
Best
Jens

 

K-T
Shopify Partner
2 0 2

Hi, I'm really curious about the solution as well. We have a middleware layer that handles some additional actions.

 

Questions:

 

1. Is it possible to use a X-Forwarded-For header (that does not seem to work, perhaps due to a misconfiguration)?

2. Why is the REST API recommended, does that not have the same IP based rate limit?

3. How would a custom extra CDN work (not only the one from Shopify); or is that also not possible?

We are having quite some scaling issues right now and are at a loss on how to continue.

Thanks in advance.

Lokiii
Shopify Partner
8 0 8

Any news on this one? I'm doing all of the Storefront API call from an API layer (SSR usually or via my API on NextJS). My product is not live yet but I'm concerned in advance about the rate limiting. 

The X forwarded for header would do the trick as well for my use case. Thanks!

joshlarson
Shopify Staff (Retired)
1 0 2

Hi! Coming to you with an update nearly 4 years later 🙂 

 

Shopify's Storefront API now has mechanisms in place to assist with rate limiting issues when calls are made from the server. Please see the "Usage limitations" section under this rate limiting guide: https://shopify.dev/api/storefront#rate_limits

 

tl;dr you can use a combination of:

Shopify-Storefront-Private-Token (delegate access token)

- Shopify-Storefront-Buyer-IP (current visitor's IP address)

To learn more visit the Shopify Help Center or the Community Blog.