how to mitigate 30 request per minute limitation?

im newbie to vanilla forum. we have integrate vanila forum to our app by using vanilla api. if i talked about the vanila integration to your site. admins can create discussions from your app and we direct those request to api using a access token key which is generated for a administrator in vanilla forum.

users are logged in through Access Directory and its integrated with vanilla api as well. users can access our api and see the vanilla forum which uses access directory authentication and can create conversations. we thought to follow the same pattern which described above and i have an issue that we will get hitting by 30 request per minute if 40 users tried to create conversation at the same time ( in a minute). how to handle this situation ? how user can directly contact vanilla discussion safely ? can we create tokens for each and every user?

i hereby attached an image as well to show the architecture we are using


  • R_JR_J Cheerleader & Troubleshooter Munich Moderator

    You should have a token per user. Otherwise you will have to reconstruct each and every permission handling on your apps side.

    If you access the API with a token of a user, you don't have to think about permissions.

    See here for an example on how to create a token for a user:

  • Hi @R_J thanks alot for your answer on this. i read your code for create token per user. but where should i put this php class? i should put in in vanilla forum server or my backend? if you nevermind can you please explain how to use this plugin with vanilla ?

  • @R_J i used docker for vanilla and set it up using that. and i tried to follow your documentation on how to install a plugin as wel. then i uploaded your plugin as you instructed in there. and i enabled the plugin.

    issue is when i tried to access api im getting full page render with page not found error. how to fix that issue ? i tried in addon to enable api or something but its not there.

  • @R_J sorry for tagging you again . i tried to trigger your plugin using the URL vanila-domain/api/v2/plugin/apitoken

    but it says its not found.

  • R_JR_J Cheerleader & Troubleshooter Munich Moderator

    No, the plugin isn't really useful for anything else but being a reference implementation on how to issue a token.

    You might also be interested in this comment:

    That "feature flag" mentioned there means, that you have to add $Configuration['Feature']['AuthenticationAPI']['Enabled'] = true; to your config to use the authentication api. But I haven't done any tests with that so that I cannot tell you how to use that. Since it hasn't been officially audited, it might not be the best idea to already use it.

  • R_JR_J Cheerleader & Troubleshooter Munich Moderator

    Forget about that linked comment. It wouldn't help you. It allows authentication via API but it doesn't issue a token, so you will have to implement that on your own.

    By now your server does every request to Vanilla as the admin user. If you mix up the code from the plugin above and the information from that discussion, you should be able extend your servers functionlaity to issue a token for a user (if needed.

  • charrondevcharrondev Application Developer (PHP, JS) Montreal Vanilla Staff

    I wonder if we should maybe make it clearer, but our vanilla-docker isn't really setup for production usage. It comes with xdebug installed and enabled, and doesn't even have opcache.

    It's built primarily for local development.

  • R_JR_J Cheerleader & Troubleshooter Munich Moderator

    Who cares reading documentation? After all this discussion is all about that part of the docs 😉

Sign In or Register to comment.