Rate Limiting

Tenable.io performs rate limiting on API requests to ensure that all customers experience the same level of service. Based on current processing load, Tenable.io calculates the number of API requests it can accept from a single user per minute. Individual users are identified by the API key used in each API request. An individual user can have only one valid API key at a time.

If you submit an API request after the processing limit is reached, Tenable.io returns an HTTP response message with a 429 (Too Many Requests) status code. The response also includes a retry-after header element that specifies the number of seconds to wait before retrying.

Example Response Header

connection:keep-alive 
content-length:580 
content-type:text/html
date:Wed, 24 Oct 2018 17:13:43 GMT 
retry-after:30 
server:tenable.io
strict-transport-security:max-age=63072000; includeSubDomains
x-content-type-options:nosniff
x-gateway-site-id:nginx-router-b-eng-us-east-1.dcld
x-path-handler:tenable-io-plugins-plugin

👍

Example

Handling 429 messages without pyTenable module

Recommendations to Avoid Rate Limits

  • Use the exports endpoints to retrieve data from Tenable.io. While Tenable.io supports the workbenches export endpoints, Tenable recommends using the optimized exports endpoints instead.
  • Do not multi-thread your requests. As long as you are using the appropriate APIs, you should be able to export data from Tenable.io without reaching rate limits.
  • If your process regularly reaches the API request rate limit, review your code to ensure that you are not co-processing requests.
  • Always use a unique user account for each API integration you enable or create. This approach ensures proper tracking of who is accessing which data and allows Tenable.io to enforce rate limits for each API user.