Pending Authorizations ratelimit

Small question on the Pending Authorizations ratelimit:

The RFC states that an Authorization is created in the pending state. Great.

When I create a new AcmeOrder, the response contains this payload:

 "authorizations": [
   "https://example.com/acme/authz/PAniVnsZcis",
   "https://example.com/acme/authz/r4HqLzrSrpI"
 ],

Is the content of the “authorizations” payload considered to be a fully created Authorization that counts towards this ratelimit?

Or

Is the content essentially a promise which will create a pending Authorization when first visited (unless it is an existing Authorization)?

I expect the first scenario to be what is happening, but I wanted to ask about the second case - because 3 certs with 100 domains each would fully consume the ratelimit if there were no cleanup routine in the client. My client is set to revoke all 100, but I wanted to be sure.

Yes, this is correct.

Note that they would only consume that limit if the authorizations were not attempted (i.e. did not become “valid” or “invalid”). When an authorization is attempted, it stops counting against the Pending Authorizations limit. In a way, this is not really a “rate” limit so much as an “extant objects” limit.

Great! Thank you!

Understood. One of our client unit tests fails on Authorization 1 of 100; the client currently short-circuits out when that happens and the authorizations get cleaned up by another process. The other auths are not validated because we’re not sure when we’ll process them in a new order.
.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.