[GH-ISSUE #1173] Return rate limits when limited #827

New issue

Open

opened 2026-05-07 00:27:49 +02:00 by BreizhHardware · 4 comments

BreizhHardware commented 2026-05-07 00:27:49 +02:00

Owner

Copy link

Originally created by @ThisIsMissEm on GitHub (Aug 27, 2024).
Original GitHub issue: https://github.com/binwiederhier/ntfy/issues/1173

💡 Idea

Currently when ntfy rate limits a client, it seems to just send the 429 status code back, but doesn't advise as to when the rate limit would be lifted. This means that clients can't dynamically pause sending notifications until the rate limit resets, which leads to IP bans.

There is a standards track IETF proposal for RateLimit headers, which could make sense to use: https://www.ietf.org/archive/id/draft-ietf-httpapi-ratelimit-headers-07.html

This currently affects Mastodon: https://github.com/mastodon/mastodon/issues/26078

By advertising when the rate limits reset, we could delay all other notification until after the rate limit resets. I tried to look at both the documentation and code to see if you currently have any code that advertises to the client information about the rate limit, and couldn't find any.

💻 Target components

• ntfy server

Originally created by @ThisIsMissEm on GitHub (Aug 27, 2024). Original GitHub issue: https://github.com/binwiederhier/ntfy/issues/1173 :bulb: **Idea** Currently when ntfy rate limits a client, it seems to just send the 429 status code back, but doesn't advise as to when the rate limit would be lifted. This means that clients can't dynamically pause sending notifications until the rate limit resets, which leads to IP bans. There is a standards track IETF proposal for RateLimit headers, which could make sense to use: https://www.ietf.org/archive/id/draft-ietf-httpapi-ratelimit-headers-07.html This currently affects Mastodon: https://github.com/mastodon/mastodon/issues/26078 By advertising when the rate limits reset, we could delay all other notification until after the rate limit resets. I tried to look at both the documentation and code to see if you currently have any code that advertises to the client information about the rate limit, and couldn't find any. :computer: **Target components** <!-- Where should this feature/enhancement be added? --> <!-- e.g. ntfy server, Android app, iOS app, web app --> - ntfy server

BreizhHardware added the

server

enhancement

labels 2026-05-07 00:27:49 +02:00

BreizhHardware commented 2026-05-07 00:27:50 +02:00

Author

Owner

Copy link

@ThisIsMissEm commented on GitHub (Oct 17, 2024):

You could also use the Retry-After header: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Retry-After

<!-- gh-comment-id:2420068723 --> @ThisIsMissEm commented on GitHub (Oct 17, 2024): You could also use the `Retry-After` header: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Retry-After

BreizhHardware commented 2026-05-07 00:27:50 +02:00

Author

Owner

Copy link

@Kariton commented on GitHub (Jan 19, 2026):

i would like to have a general endpoint or way to query the current rate-limits.
similar to docker or github.

docker:

# TOKEN=$(curl "https://auth.docker.io/token?service=registry.docker.io&scope=repository:ratelimitpreview/test:pull" | jq -r .token)
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  5429    0  5429    0     0  10325      0 --:--:-- --:--:-- --:--:-- 10321
# curl --head -H "Authorization: Bearer $TOKEN" https://registry-1.docker.io/v2/ratelimitpreview/test/manifests/latest
HTTP/2 200 
date: Mon, 19 Jan 2026 06:09:41 GMT
content-type: application/vnd.docker.distribution.manifest.v2+json
content-length: 527
docker-content-digest: sha256:c2d41d2ba6d8b7b4a3ffec621578eb4d9a0909df29dfa2f6fd8a2e5fd0836aed
docker-distribution-api-version: registry/2.0
etag: "sha256:c2d41d2ba6d8b7b4a3ffec621578eb4d9a0909df29dfa2f6fd8a2e5fd0836aed"
strict-transport-security: max-age=31536000
ratelimit-limit: 100;w=21600
ratelimit-remaining: 69;w=21600
docker-ratelimit-source: REDACTED

github:

# curl https://api.github.com/rate_limit
{
  "resources": {
    "code_search": {
      "limit": 60,
      "remaining": 25,
      "reset": 1768803517,
      "used": 35,
      "resource": "code_search"
    },
    "core": {
      "limit": 60,
      "remaining": 25,
      "reset": 1768803517,
      "used": 35,
      "resource": "core"
    },
    "graphql": {
      "limit": 0,
      "remaining": 0,
      "reset": 1768806666,
      "used": 0,
      "resource": "graphql"
    },
    "integration_manifest": {
      "limit": 5000,
      "remaining": 5000,
      "reset": 1768806666,
      "used": 0,
      "resource": "integration_manifest"
    },
    "search": {
      "limit": 10,
      "remaining": 10,
      "reset": 1768803126,
      "used": 0,
      "resource": "search"
    }
  },
  "rate": {
    "limit": 60,
    "remaining": 25,
    "reset": 1768803517,
    "used": 35,
    "resource": "core"
  }
}

<!-- gh-comment-id:3766573768 --> @Kariton commented on GitHub (Jan 19, 2026): i would like to have a general endpoint or way to query the current rate-limits. similar to docker or github. docker: ```sh # TOKEN=$(curl "https://auth.docker.io/token?service=registry.docker.io&scope=repository:ratelimitpreview/test:pull" | jq -r .token) % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 5429 0 5429 0 0 10325 0 --:--:-- --:--:-- --:--:-- 10321 # curl --head -H "Authorization: Bearer $TOKEN" https://registry-1.docker.io/v2/ratelimitpreview/test/manifests/latest HTTP/2 200 date: Mon, 19 Jan 2026 06:09:41 GMT content-type: application/vnd.docker.distribution.manifest.v2+json content-length: 527 docker-content-digest: sha256:c2d41d2ba6d8b7b4a3ffec621578eb4d9a0909df29dfa2f6fd8a2e5fd0836aed docker-distribution-api-version: registry/2.0 etag: "sha256:c2d41d2ba6d8b7b4a3ffec621578eb4d9a0909df29dfa2f6fd8a2e5fd0836aed" strict-transport-security: max-age=31536000 ratelimit-limit: 100;w=21600 ratelimit-remaining: 69;w=21600 docker-ratelimit-source: REDACTED ``` github: ``` # curl https://api.github.com/rate_limit { "resources": { "code_search": { "limit": 60, "remaining": 25, "reset": 1768803517, "used": 35, "resource": "code_search" }, "core": { "limit": 60, "remaining": 25, "reset": 1768803517, "used": 35, "resource": "core" }, "graphql": { "limit": 0, "remaining": 0, "reset": 1768806666, "used": 0, "resource": "graphql" }, "integration_manifest": { "limit": 5000, "remaining": 5000, "reset": 1768806666, "used": 0, "resource": "integration_manifest" }, "search": { "limit": 10, "remaining": 10, "reset": 1768803126, "used": 0, "resource": "search" } }, "rate": { "limit": 60, "remaining": 25, "reset": 1768803517, "used": 35, "resource": "core" } } ```

BreizhHardware commented 2026-05-07 00:27:50 +02:00

Author

Owner

Copy link

@binwiederhier commented on GitHub (Feb 5, 2026):

We do have this, but it does not return all rate limits, so I think the request is still valid.

curl -s https://ntfy.sh/v1/account | jq .
{
  "username": "*",
  "role": "anonymous",
  "limits": {
    "basis": "ip",
    "messages": 250,
    "messages_expiry_duration": 43200,
    "emails": 5,
    "calls": 0,
    "reservations": 0,
    "attachment_total_size": 20971520,
    "attachment_file_size": 2097152,
    "attachment_expiry_duration": 10800,
    "attachment_bandwidth": 209715200
  },
  "stats": {
    "messages": 0,
    "messages_remaining": 250,
    "emails": 0,
    "emails_remaining": 5,
    "calls": 0,
    "calls_remaining": 0,
    "reservations": 0,
    "reservations_remaining": 0,
    "attachment_total_size": 0,
    "attachment_total_size_remaining": 20971520
  }
}

<!-- gh-comment-id:3850754379 --> @binwiederhier commented on GitHub (Feb 5, 2026): We do have this, but it does not return _all_ rate limits, so I think the request is still valid. ``` curl -s https://ntfy.sh/v1/account | jq . { "username": "*", "role": "anonymous", "limits": { "basis": "ip", "messages": 250, "messages_expiry_duration": 43200, "emails": 5, "calls": 0, "reservations": 0, "attachment_total_size": 20971520, "attachment_file_size": 2097152, "attachment_expiry_duration": 10800, "attachment_bandwidth": 209715200 }, "stats": { "messages": 0, "messages_remaining": 250, "emails": 0, "emails_remaining": 5, "calls": 0, "calls_remaining": 0, "reservations": 0, "reservations_remaining": 0, "attachment_total_size": 0, "attachment_total_size_remaining": 20971520 } } ```

BreizhHardware commented 2026-05-07 00:27:50 +02:00

Author

Owner

Copy link

@disconn3ct commented on GitHub (Mar 13, 2026):

Is the returned username accurate? And does this include NTFY_VISITOR_REQUEST_LIMIT_EXEMPT_HOSTS?

<!-- gh-comment-id:4054821397 --> @disconn3ct commented on GitHub (Mar 13, 2026): Is the returned username accurate? And does this include `NTFY_VISITOR_REQUEST_LIMIT_EXEMPT_HOSTS`?

BreizhHardware referenced this issue 2026-05-07 01:02:07 +02:00

[PR #835] [CLOSED] Extra fields in JSON body #1440

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

dependabot/npm_and_yarn/web/fast-uri-3.1.2

email-verification

attachment-no-http2

attachment-fixes

attachment-s3

config-generator

postgres-replica

dockers-v2

postgres-support

postgres-webpush+user+message

postgres-webpush+user

postgres-webpush

1364-copy-action

crashfix

user-header

scalar-api-docs

cancel-scheduled

update-available

windows-server

303-update-notifications

postgres

admin-ui

require-login

http-clipboard

message-cache-lock

debian-stripe

predefined-users

busy-timeout

template-dir

ipv6

client-ip-header

apns-fix

feat_optional_require_login

security-updates

pg-message-cache

templating-disallow

templating-3

templating-2

message-size-limit+delay-limit

remove-rate-topics

html-emails

cf-priority

acl-underscores

auth-user-header

markdown

img-attach

web-improvements

utf8-headers

matrix-507-reject

http-response-writer

new-homepage-design

e2e

canary

windows

electron

update-messages

webhook-templating

v2.22.0

v2.21.0

v2.20.1

v2.20.0

v2.19.2

v2.19.1

v2.19.0

v2.18.0

v2.17.0

v2.16.0

v2.15.0

v2.14.0

v2.13.0

v2.12.0

v2.11.0

v2.10.0

v2.9.0

v2.8.0

v2.7.0

v2.6.2

v2.6.1

v2.6.0

v2.5.0

v2.4.0

v2.3.1

v2.3.0

v2.2.0

v2.1.2

v2.1.1

v2.1.0

v2.0.1

v2.0.0

v1.31.0

v1.30.1

v1.29.1

v1.29.0

v1.28.0

v1.27.2

v1.27.1

v1.26.0

v1.25.2

v1.25.1

v1.25.0

v1.24.0

v1.23.0

v1.22.0

v1.21.2

v1.21.1

v1.21.0

v1.20.0

v1.19.0

v1.18.1

v1.18.0

v1.17.1

v1.17.0

v1.16.0

v1.15.0

v1.14.1

v1.14.0

v1.13.0

v1.12.1

v1.12.0

v1.11.1

v1.11.2

v1.11.0

v1.10.0

v1.9.0

v1.8.0

v1.7.0

v1.6.1

v1.6.0

v1.5.3

v1.5.2

v1.5.1

v1.5.0

v1.4.8

v1.4.7

v1.4.6

v1.4.5

v1.4.4

v1.4.3

v1.4.2

v1.4.1

v1.4.0

v1.3.2

v1.3.3

v1.3.1

v1.3.0

v1.2.5

v1.2.4

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.0

v0.0.5

v0.0.4

v0.0.3

v0.0.2

v0.0.1

Labels

Clear labels   

ai-generated

  

android-app

  

android-app

  

android-app

  

🪲 bug

  

build

  

build

  

dependencies

  

docs

  

enhancement

  

enhancement

  

🔥 HOT

  

in-progress 🏃

  

ios

  

prio:low

  

prio:low

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

🔒 security

  

server

  

server

  

unified-push

  

web-app

  

website

No labels

ai-generated

android-app

android-app

android-app

🪲 bug

build

build

dependencies

docs

enhancement

enhancement

🔥 HOT

in-progress 🏃

ios

prio:low

prio:low

pull-request

question

🔒 security

server

server

unified-push

web-app

website

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/ntfy#827

No description provided.