Am I DDOSing AGO For Tokens To WAB?

07-19-2021 05:51 AM
I embed Web AppBuilder applications into another application and I'm having an intermittent issue authenticating.  Some of the underlying data needs to be protected so I generate a token for authentication.  I had an issue where the credentials could be viewed with browser dev tools (a no-no), so I have a proxy page that, given an ID will fetch the credentials out of a secure data store and send the token request to AGO.  This works well, except for an intermittent issue where I get the following JSON from my token request:

{"error":{"code":400,"message":"Unable to generate token.","details":["Too many generate token requests. Please try again later."]}}

When this happens, my apps will not load on the first try, but may load just fine on subsequent tries.  We have a lot of these apps, so finding the cause of this issue is paramount.  Is there anyone that can comment on how many token requests an AGO/portal organization can receive before sending this error?  My google searches have turned up nothing.

Can you please show the full request?
Assume that you refer this endpoint:

I don't how many request you did but in portal 10.8 I can confirm that I
can make 300/minute requests without any problem

var data = new FormData();
data.append("username", "X");
data.append("password", "X");
data.append("client", "referer");
data.append("referer", "portalurl");
data.append("expiration", "");
data.append("f", "json");

var xhr = new XMLHttpRequest();
xhr.withCredentials = true;

xhr.addEventListener("readystatechange", function () {
if (this.readyState === this.DONE) {
});"POST", "https://portal/arcgis/sharing/rest/generateToken");


assume that arcgis is your webadaptor.
