Best Practices
This guide covers essential best practices for working with the Egnyte Public API, including authentication, rate limiting, data formatting, and error handling.
Using Access Tokens
Obtain and Cache Tokens
After obtaining an API key, authenticate to receive an access token for all API requests. See Authentication for details on obtaining tokens for your application type.
Always cache your access token. Do not request a new token for every API call. Tokens expire after 30 days or when the user changes their password.
Permission Context
All API actions execute within the permission context of the authenticated user. You can only access resources (files, folders, etc.) that the user has permission to access.
User Impersonation
Administrators can perform actions on behalf of another user using impersonation. Impersonated calls execute in the context of the impersonated user and are logged as such in audit reports. See Impersonation below for implementation details.
Rate Limiting
Default Limits
Rate limits are enforced per access token, not per API key. If one user exceeds their quota, other users under the same key remain unaffected.
| Scope | Limit |
|---|---|
| Standard API calls | 1,000 calls per day per token2 calls per second per token |
| OAuth token endpoint (Public app) | 100 token requests per hour |
| OAuth token endpoint (Internal app) | 10 token requests per user per hour |
| AI APIs | 100 calls per day per token10 calls per minute per token2 calls per second per token |
Note: If your production application requires higher limits, contact Egnyte to discuss custom arrangements.
Proactive Rate Limit Monitoring
Monitor rate limit headers in every API response to avoid hitting limits. Parse these headers and implement throttling logic in your application.
Rate Limit Headers
| Header | Description | Example |
|---|---|---|
X-Accesstoken-Qps-Allotted | Queries per second allowed for this token | 20 |
X-Accesstoken-Qps-Current | Queries per second consumed (resets every second) | 1 |
X-Accesstoken-Quota-Allotted | Queries per day allowed for this token | 2000000 |
X-Accesstoken-Quota-Current | Queries per day consumed (resets at 00:00 UTC) | 2 |
Implementation Strategy
- Check QPS on each response: If
X-Accesstoken-Qps-Currentequals or approachesX-Accesstoken-Qps-Allotted, pause for 1 second before the next request. - Monitor daily quota: Track
X-Accesstoken-Quota-Currentto avoid exceeding your daily limit.
OAuth Token Endpoint Rate Limiting
The OAuth token endpoint (/puboauth/token) has separate rate limits:
- Public apps: 100 token requests per hour
- Internal apps: 10 token requests per user per hour
When throttled, you receive a 409 Conflict response with a Retry-After header indicating seconds until the limit resets.
Note: You should rarely encounter this limit. Request tokens once per user and persist them rather than requesting repeatedly.
Formats
File System Paths in URLs
When including file paths in URLs, encode each path segment individually. Do not encode forward slashes (/) between segments.
Example:
Original path:
/Shared/example?path/$file.txt
Correctly encoded:
/Shared/example%3Fpath/%24file.txt
This encoding is critical for File System and Permissions API endpoints.
Timestamps
All dates and times use ISO 8601 format.
Examples:
- Date:
2014-05-27 - Date and time:
2014-05-27T22:27:01Z
Impersonation
Administrators can impersonate any user by including one of the following headers in API requests:
X-Egnyte-Act-As: {username}
or
X-Egnyte-Act-As-Email: {email}
Note: Use only one impersonation header. If both are provided, X-Egnyte-Act-As-Email is ignored.
Requirements
- The OAuth token must belong to an administrator
- The impersonated user must exist in the domain
Example: Create Folder as Another User
HTTP
POST /pubapi/v1/fs/Shared/test HTTP/1.1
Host: apidemo.egnyte.com
Authorization: Bearer 68zc95e3xv954u6k3hbnma3q
X-Egnyte-Act-As-Email: test@test.com
Content-Type: application/json
cURL
curl -X POST \
-H "Authorization: Bearer 68zc95e3xv954u6k3hbnma3q" \
-H "X-Egnyte-Act-As-Email: test@test.com" \
-H "Content-Type: application/json" \
"https://apidemo.egnyte.com/pubapi/v1/fs/Shared/test"
curl -i -X POST "https://{domain}.egnyte.com/pubapi/v1/fs/Shared/test" \ -H "X-Egnyte-Act-As-Email: test@test.com" \ -H "Content-Type: application/json" \ -H "Authorization: Bearer YOUR_ACCESS_TOKEN"
Common HTTP Headers
Request Headers
| Header | Value | Description |
|---|---|---|
Content-Type | application/json | Specifies the format of the request body |
Authorization | Bearer {access_token} | OAuth token obtained through the OAuth flow |
X-Egnyte-Act-As | {username} | Optional. Username to impersonate |
X-Egnyte-Act-As-Email | {email} | Optional. Email of user to impersonate. Ignored if X-Egnyte-Act-As is also present |
Response Headers
| Header | Value | Description |
|---|---|---|
Content-Type | application/json | Specifies the format of the response body |
Common Response Codes
| Status | Description |
|---|---|
| 200 | Successful operation |
| 201 | Successful creation |
| 204 | Successful operation with no response body |
| 400 | Request is syntactically incorrect |
| 401 | Authentication failure — invalid or expired token |
| 403 | Authorization failure — insufficient permissions |
| 404 | Resource not found |
| 409 | Conflict with an existing resource or rate limit exceeded |
Error Messages
Errors are returned in the HTTP status code and response body. The response body contains an Errors array with detailed error information. Multiple errors may be included if applicable.
Example Error Response
HTTP/1.1 404 NOT FOUND
{
"Errors": [
{
"description": "Link does not exist.",
"code": "404"
}
]
}
Related Resources
- Authentication — How to obtain and refresh OAuth tokens
- File System API — Create, read, update, and delete files and folders
- Permissions API — Manage user and group permissions
