Mounting OneDrive for Self-built Private API


When using Rclone to transfer files to OneDrive, you may encounter issues such as slow speed and disconnection. The root cause of these problems is triggering the limitations of the OneDrive API. The default built-in API in Rclone is used by many people simultaneously, making these issues more apparent. Using a self-built private API to connect to OneDrive can greatly improve these situations. Additionally, for the three-month trial version of Office 365 E5 for developers, occasionally using Rclone may also have the possibility of automatic renewal, which is safer and more stable than deliberately refreshing the API. Furthermore, the self-built API can also be used by other accounts and applications.

Create OneDrive API#

Obtain Client ID#


  • Choose any name, select the last account type, and enter http://localhost as the redirect URL.


  • After successfully creating, you will see the Client ID. Copy and save it.


Obtain Client Secret#

  • Click on Certificates & secrets and follow the numbered steps in the image to add a password.


  • Then you will see the Client Secret. Copy and save it.


Set API Permissions#

  • Click on API permissions and follow the instructions in the image to add the following permissions: Files.Read, Files.ReadWrite, Files.Read.All, Files.ReadWrite.All, offline_access, User.Read.


  • Finally, confirm if the permissions are added completely.


Obtain Token#

  • Download rclone on your local computer.
  • Take Windows as an example, unzip and enter the folder where rclone.exe is located. In the file explorer address bar, type cmd and press enter to open the command prompt in the current path.
  • Replace Client_ID and Client_secret in the following command and execute it.
rclone authorize "onedrive" "Client_ID" "Client_secret"

Next, a browser will pop up and ask you to log in to authorize rclone. After authorization, the command prompt window will display the following information:

If your browser doesn't open automatically go to the following link:
Log in and authorize rclone for access
Waiting for code...
Got code
Paste the following into your remote machine --->
<---End paste

The entire content {"access_token":"xxxxxxxxxxxxxxxxxx","expiry":"2020-02-22T21:18:39.5036298+08:00"} (including parentheses) is the token. Copy and save it.

Other Notes#

Limitations of Private API#

Although using a self-built private API can improve the upload experience, uploading too frequently can still be restricted.

What is the threshold for OneDrive API limitations?#

Microsoft does not explicitly state the limitations of the OneDrive API. The following is the original text from the official documentation:

We adjust thresholds based on usage so that users can consume the maximum number of resources without compromising reliability and performance.

By examining the limitations of other types of APIs, it can be inferred that there are limitations in terms of total count and frequency. Total count refers to the number of calls allowed within a day, while frequency refers to the number of calls allowed per minute. Once the threshold is reached, file uploads will be restricted.

Since the exact values cannot be obtained from the official documentation, is it possible to determine the exact values through actual testing? The answer is no. No patterns were found during actual testing, so it can be concluded that these limitations are dynamically adjusted, which is consistent with the official documentation.

How to avoid OneDrive API limitations?#

Do not upload too many files within a short period of time. The file size does not matter; the key is the number of files.

About Office 365 E5 Automatic Renewal#

Based on the author's experience with the developer trial version for several years, as long as you use a self-built private API, automatic renewal is possible. However, there is no standard frequency, and more is not necessarily better. Deliberately refreshing the API may not be worth it, especially when using GitHub Actions, as the servers are provided by Microsoft Azure, making it easy to identify meaningless API refreshes used by many people in a similar way.

Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.