Rate Limiting

Rate Limiting

Every authentication route and every state-changing API endpoint is rate-limited. The limits are tiered based on the sensitivity of the operation.

Response Headers

Each rate-limited response includes:

• X-RateLimit-Remaining — requests left in the current window.
• X-RateLimit-Reset — UNIX timestamp when the window resets.
• Retry-After — seconds to wait before retrying (only on 429 responses).

What Happens When You Hit the Limit

The endpoint returns HTTP 429 Too Many Requests. The Web Application Firewall also accumulates a per-IP anomaly score; sustained abuse leads to a temporary ban.

Best Practices

• Honor Retry-After instead of polling.
• Cache responses where you can.
• Use API tokens with the smallest scope you need.