The Core API uses API tokens to authenticate its user.
You MUST send the token for each request in the Authorization header. The token MUST be preceded by
Bearer. See the
Authorization header in the example request below.
curl --request GET \ --url https://api2.frontapp.com/conversations/cnv_123/drafts --header 'Authorization: Bearer [REQUEST_TOKEN]'
As an admin, you can generate an API token directly from Front (Settings > Plugins & API > API). If you are already a Front customer, read our How to create and revoke API tokens guide for information on how to generate an API token, and get started with Front's API.
By default, Front's API rate limits start at 100 requests per 60 seconds and can be increased depending on your plan. For example, customers with the Prime plan (and above) have a default rate limit of 200 requests per 60 seconds. If you need to increase your API rate limit beyond the limit provided by your plan, an API Rate Limit add-on can be purchased.
Every API call response will contain three headers related to the rate-limiting:
Maximum number of request allowed in the time window
Current remaining number of requests in the current time window
Next timestamp when the number of remaining requests will be reset
When the rate limit is exceeded, the server will respond with a 429 Too Many Requests HTTP code with the header
Retry-After to tell you how many seconds you need to wait before you can retry the request.
Additional "burst" rate-limiting
Some resource-intensive routes are subject to additional rate-limiting to prevent strain on Front's infrastructure. This additional rate limit has a short TTL and only prevents sudden bursts of requests. The limit will depend on the resources needed to fulfill the request. Please see the list below.
Such resources have the header
X-Front-Tier. If you are rate limited at the resource level, you will receive the header
Retry-After, even though
X-RateLimit-Remaining may be greater than 0. This is because the limits do not affect each other.
Retry-After seconds before safely retrying the request.
Tier 1 - limited to 1 request / sec
Tier 2 - limited to 3 request / sec
By default, individual resources are private and the API does not let you interact with them nor with their content.
However, a user has the ability to allow access to their individual resources from the API in their settings (cf: Settings > My preferences > "Allow access to my individual resources via the API").
Individual resources are accessible only to tokens that have been generated by Front. OAuth clients are not authorized to access them.
Updated about a month ago