Today we’re announcing new tools to help us better identify the API calls that your app makes to Instagram. These new tools will bring more consistency and stability to your app since our systems will now have a stronger understanding of the calls that you make, enabling us to help support you in the best way possible. As part of these new tools, we are also introducing a new method for rate-limiting POSTs made to our platform which will go into effect on July 7, 2014.

Disable Client-Side (Implicit) Authentication

For apps that issue API calls to Instagram server-side, we have introduced a new setting to your OAuth Client configuration which will cause all Client-Side (Implicit) authorizations requests to be rejected. Given the convenience of the Implicit OAuth Grant flow, we’ve found many developers opting for this approach, even though it was only created to support javascript and mobile clients. Server-side apps should take advantage of this new setting in order to prevent malicious developers from impersonating your OAuth Client through the implicit flow and capturing access tokens from unsuspecting people.

Enforce Signed Header

In order to help us better verify the identity of your app as the source of API calls being made on behalf of your OAuth Client, we have also added support for a new HTTP header which signs your API requests. By enabling the new Enforce signed header setting on your OAuth Client configuration, we will verify the signature in the X-Insta-Forwarded-For HTTP header and reject any API calls that do not match. As with disabling client-side authentication, we encourage all developers with server-side apps to begin securing their API calls with this HTTP header.

Revised Rate Limits on POSTs

On July 7, 2014, we will introduce a new method for rate-limiting POSTs made to the Instagram Platform in which a different set of rate limits will be applied based on whether your app is issuing signed requests or not. Under this new model, we will provide an elevated set of rate limits for apps that secure their OAuth Clients by performing the two following actions:

• Disabling Client-Side (Implicit) Authentication
• Signing all POSTs and DELETEs to Instagram Platform with the X-Insta-Forwarded-For HTTP header

The following new rate limits will go into effect on July 7, 2014:

Unsigned Calls (per OAuth token):

• POST /media/media-id/likes:  30/hour
• POST /media/media-id/comments:  15/hour
• POST /users/user-id/relationships:  20/hour

Signed Calls (per OAuth token):

• POST /media/media-id/likes:  100/hour
• POST /media/media-id/comments:  60/hour
• POST /users/user-id/relationships:  60/hour

Support for HTTP 429 Status Code

In order to provide more clarity when a rate limit condition has been hit, we will begin returning the HTTP status code 429 (Too Many Requests) for calls that exceed the rate limit for a particular endpoint. The following changes take effect today:

• Requests with user tokens that exceed a rate limit will now return HTTP status code 429 (previously 400)
• Requests that exceed the global rate limit for a client ID will return HTTP status code 429 (previously 420)

Updated Libraries

Lastly, we have updated our Python and Ruby libraries to add support for the new X-Insta-Forwarded-For HTTP header as well as the new HTTP 429 status code. These updated libraries can be found on our developer site.