Hey, we are using a Free Ory Network project for IAM. We recently migrated one of our apps to use Kratos for authentication and it seemed everything is working fine. But now we are randomly getting 429s and we can't understand what's happening. We authenticate the user on the browser side and then verify the caller on server-side requests based on their cookies. So first you log in on our website, you get your Kratos cookie and when making requests to the backend that cookie is attached. The backend then verifies user identity by calling Kratos. As the app initializes, we're marking around 10 requests to the backend in a matter of a second. We noticed now that sporadically, one or more of those would fail. Ory Network starts returning 429 on any request for that session token for around 5-30 seconds. I did not find any mention about this behavior in the docs. Could you please help me understand what's happening and how to work around this issue?

Hi Mateusz, The proxy is doing internal session checks (sessions/whoami) for each request. As this includes other resources like js files etc, the number of requests to the sessions/whoami endpoint can be quite high and result in being rate limited.

I see, it looks like that's whats happening. Thanks!

For now, you can reduce the number of requests by caching these resources on the client side. We will discuss internally if/how we optimize the proxy.

It could be possibly useful to be able to specify what paths are exempt from the session check 🤔

It could be possibly useful to be able to specify what paths are exempt from the session check 🤔

yes, exactly. This was also my thought, but we will check this tomorrow. Maybe I am missing something… Have a nice evening.

Thanks!