Receiving a 403 Forbidden API Error Message

Mateen.A.4093
Mateen.A.4093 Posts: 10 🌱
edited July 9 in Higher Ed / Postsecondary

We are running performance testing in our Brightspace test server with 7% failures related to "403 Forbidden" error messages.

Perf Testing: We are automating 18 users to load the widget every second for 1 minute—equaling to about 1,080 users in a minute.

Background: We have 4 back-end servers with round-robin traffic running a custom widget within our Brightspace test domain. Each server is equipped with its own refresh token and the ability to generate new ones.

Our performance testing is to check how many concurrent users logged in can load the widget at the same time. Since our student base reaches around ~350,000, we can estimate around 1000 users concurrently using the widget at any given minute (max possible users).

Even though the widget continues to work, the 403 Forbidden error messages continue to appear in every perf test.

Could this be the cause of insufficient server resources or are we capping the rate limit of our API endpoints?

Tagged:
· Share on Twitter

Best Answer

  • Raquel.B.1893
    Raquel.B.1893 Posts: 9
    Answer ✓

    Hi Mateen, Thank you for submitting your question.

    Based on the 403 Forbidden errors you're seeing, it's very likely that you're hitting API rate limits. Even though you're using multiple backend servers with separate refresh tokens, if the same client ID or user context is being reused, Brightspace may still throttle the requests. This is consistent with how D2L’s API rate limiting works, as outlined in their documentation.

    It’s also worth checking that each token has the correct scopes and is being refreshed properly under load. If possible, try reviewing the response headers of the failed requests, they might include a Retry-After or other rate-limit indicators.

    Brightspace API calling conventions — Developer Platform (June 2025)

    I hope this information helps!

    · Share on Twitter

Answers

  • Mateen.A.4093
    Mateen.A.4093 Posts: 10 🌱

    @Raquel.B.1893 - What is the API rate limit? We ran a smoke test of 4 users per second, which is about 240 users per minute with 4 API calls per user, hitting 960 API calls per minute.

    · Share on Twitter
  • Gabriel.T.493
    Gabriel.T.493 Posts: 11

    Hi Mateen,

    The Rate Limit Bucket Size is 50,000 API Credits per minute. Also, the route token costs are set at 10 credits per API call. This can be found in our API Rate Logging/Limiting - FAQ here:

    API Rate Logging/Limiting - FAQ - Brightspace

    If you cross this threshold, you should get the "429- Too Many Requests" message.

    Additionally, 403 errors usually refer to Permission errors. If authentication credentials were provided in the request, the server might consider them insufficient to grant access. For example, the token could have expired during the sessions or maybe the role has no access to this specific call/scope being passed.

    Finally, I would encourage you to visit our Developers community, which is an exciting place to discuss issues related to API's and development in general. You can find it here: Developers — Brightspace

    Hope this helps!

    Regards,

    Gabriel

    · Share on Twitter

Categories