I am trying to receive player profile data via https://sessionserver.mojang.com/session/minecraft/profile/ .
Up until very recently, there was a limit only on duplicate requests, i.e., you could request the profile for the same UUID only so often per minute. However, you could post an unlimited amount of unique requests, which may be necessary in case a server has many players.
I cannot pinpoint since when that changed, but right now, it appears that even unique requests are limited to about 10 per minute before the API returns HTTP code 429 (too many requests).
I am filing a bug report because this is a heavy and, to the best of my knowledge, unannounced change. I noticed that the contents of the (base64 encoded) texture objects was recently changed, and I presume that this new limit was introduced as an unwanted byproduct.
Edit 3 hours later: Looks like it was patched again, I feel it was likely an issue with being rate limited for offline UUIDs as a global rate limit instead of them acting like unique UUIDs.
Not sure why this got marked as resolved, but this issue still exists. I tested 11 profile URLs (10 of which were using offline server UUIDs) and got rate limited on the 11th UUID which was an online server UUID. I didn't notice this issue until yesterday so maybe something got changed again to cause this bug again.
Servers also rely on this API at times and if a server were to get hit by a bot attack, then you'll have quite a few issues, especially if it's relating to a login process.
Here's a list of UUIDs that I tested, all of them are from an offline server except the last one so the first 10 will return with 204 - No Content. Either way you'll get a rate limit on the last one if you go through them all at once within a minute.