API Failure
API failure is the operational risk that the interface between a strategy and the broker or exchange breaks or misbehaves, through rejections, timeouts, rate-limit blocks, disconnections or stale acknowledgements, leaving the algorithm uncertain whether its orders actually reached the market.
Quick answer: API failure is the operational risk that the interface between a strategy and the broker or exchange breaks or misbehaves, through rejections, timeouts, rate-limit blocks, disconnections or stale acknowledgements, leaving the algorithm uncertain whether its orders actually reached the market.
In simple words
API failure is when the connection between your algorithm and your broker breaks or behaves badly. Orders get rejected, time out, or hit rate limits; sometimes you send an order and never learn whether it was accepted. The core danger is uncertainty: the algorithm thinks it exited a position but the order never went through, so it is still exposed without knowing it. Handling this well is less about clever code and more about never assuming an order worked until the broker confirms it did.
Purpose
This page exists because an algorithm's link to the market is a fragile, rate-limited channel it does not control, and mishandling a rejection, timeout or lost acknowledgement can leave positions in a state the strategy does not even realise it is in.
Professional explanation
The API is a channel you do not control
Unlike your own hardware, the broker API and the exchange behind it are outside your control, and they fail in their own ways: scheduled downtime, overload during volatile opens, order rejections for margin or price-band reasons, rate-limit throttling, and outright disconnection. During exactly the volatile moments when you most need to act, expiry, a gap open, a news event, the API is most likely to be slow or rejecting, because everyone else is hammering it too. A strategy must therefore be designed assuming the channel is unreliable and busiest when it matters most, rather than assuming every order sails through instantly.
The lost-acknowledgement problem
The most insidious API failure is not a clean rejection but silence: you send an order and the acknowledgement never arrives, so you do not know whether it was received, filled, or dropped. Naively resending risks a duplicate fill and a double position; not resending risks leaving the intended action undone. The correct handling is idempotency and reconciliation: tag orders with unique client IDs so a resend cannot double-execute, and query the broker for actual order and position state rather than assuming. An algorithm that treats send as equivalent to done will eventually build a phantom position it does not know it holds.
Rate limits and the runaway-retry trap
Broker and exchange APIs enforce limits on orders and requests per second, and breaching them gets you throttled or temporarily blocked, potentially at the worst moment. A common self-inflicted failure is the retry storm: an order fails, the code retries immediately, the retry also fails, and a tight loop floods the API until it blocks the account entirely. Robust clients use bounded retries with backoff, a cap on total attempts, and awareness of the rate budget, so a transient error does not escalate into a self-imposed lockout. In India, exchange and broker order-per-second limits are explicit, and a poorly written algo can exhaust them and lock itself out precisely when it needs to manage risk.
Rejections carry information, handle each kind
Not all failures are equal, and treating every rejection the same is a mistake. A margin rejection means the account cannot support the order and blindly retrying is pointless and possibly harmful; a price-band or circuit rejection means the exchange will not accept the price and the order must be repriced, not resent; a transient network timeout may genuinely warrant a careful retry. A strategy should parse the rejection reason and respond appropriately, because a retry loop that ignores a margin or circuit rejection wastes the rate budget and can mask a real problem, such as the account being closer to a margin call than the algo assumes.
Degrade safely when the API is down
When the API is unreachable for a sustained period, the strategy faces a book it can no longer manage through the normal channel, and its default behaviour matters enormously. The safe design does not keep firing blind; it recognises the outage, stops generating new orders, and falls back to protection that does not depend on the live API, principally protective orders already resting at the exchange and a broker-side auto square-off. It also alerts a human to take over via an independent route. The dangerous design keeps trying to trade through a dead channel, building up queued or duplicate orders that all execute at once when the connection returns, often into a market that has already moved.
Practical example
Illustrative example (Indian market)
A strategy on Rs 5,00,000 sends an order to exit one Nifty lot as the market falls. The API call times out with no acknowledgement; the code, written naively, assumes the exit failed and resends. In fact both orders reach the exchange, and the strategy ends up short one lot instead of flat, an unintended reversed position it does not know it holds. Nifty then rallies 200 points, and the phantom short loses about Rs 15,000 on top of the original trade. A correct client would have tagged each order with a unique client ID so the exchange rejected the duplicate, and would have queried actual position state before resending, discovering it was already flat. The loss came entirely from mishandling a lost acknowledgement, not from a bad market view.
Indian broker APIs such as those used for retail algos publish explicit rate limits (orders and requests per second) and have well-known load stress at 9:15 open and on weekly-expiry afternoons. An algo that retries aggressively can breach the order-per-second limit and get throttled or blocked by the broker exactly during an expiry-day move, leaving it unable to place the very risk-reducing orders it needs, which is why bounded retries and broker-side square-off matter.
Limitations
- The API and exchange are outside your control, so some outages can only be planned around, not prevented
- Reconciliation reduces but cannot fully remove the window of uncertainty during a lost acknowledgement
- Broker-side square-off runs on the broker's rules and timing, which may not match your loss budget
- Rate limits mean that in a fast market you may be unable to send all the orders you want in time
- Idempotency depends on the broker honouring client order IDs, which not all interfaces do consistently
Common mistakes
- Treating an order as done the moment it is sent, before the broker confirms it
- Blindly resending on a timeout without unique client IDs, causing duplicate or reversed positions
- Retrying instantly in a tight loop until the API throttles or blocks the account
- Handling every rejection the same way instead of parsing margin, circuit and timeout reasons distinctly
- Continuing to fire orders into a dead API so they all execute at once when it returns
- Assuming the API will be fast and available during expiry, gaps and news, when it is most stressed
Professional usage
Professional execution systems assume the API is unreliable and busiest when it matters most. They tag every order with a unique client ID for idempotency, reconcile actual order and position state with the broker rather than trusting send-equals-done, and use bounded retries with backoff and a rate budget to avoid self-inflicted throttling. They parse rejection reasons and respond specifically, and when the channel is down they stop firing blind, leaning on exchange-resting protective orders and broker-side square-off while alerting a human through an independent route.
Key takeaways
- API failure is the broker or exchange link breaking, and its worst form is uncertainty over whether an order worked
- Never treat an order as done until confirmed; use unique client IDs so a resend cannot double-execute
- Use bounded retries with backoff to avoid a retry storm that throttles or locks out the account
- When the API is down, stop firing blind and fall back to exchange-resting stops and broker square-off
Frequently asked questions
What is API failure in algorithmic trading?
What is the lost-acknowledgement problem?
How do I avoid duplicate orders after a timeout?
What is a retry storm and how do I prevent it?
Should I retry every rejected order?
What should an algo do when the API goes down?
Why is the API most likely to fail when I need it most?
How does API failure differ from system failure?
What are rate limits and why do they matter?
What is idempotency in order handling?
Can API failure reverse my position?
Does broker-side square-off protect me during an API outage?
How should I test my algo's handling of API failures?
Voice search & related questions
Natural-language questions people ask about API Failure.
What is API failure in trading?
Why are lost order confirmations dangerous?
How do I stop my algo sending duplicate orders?
Why does my algo get blocked by the broker?
What should my algo do if the broker connection dies?
Should I retry every rejected order?
Why is the broker slowest exactly when I need it?
Sources & references
Last reviewed 12 July 2026. Educational content only — not investment advice. Markets and rules change; verify current conventions with SEBI, NSE/BSE and your broker.