Rate Limits
Rate limit tiers, headers, and best practices.
Tiers
Every API key has a rate limit tier that determines the maximum number of requests per minute:
| Tier | Limit | Availability |
|---|---|---|
| Standard | 100 requests / minute | All API keys (default) |
| Premium | 1,000 requests / minute | Contact us for upgrade |
Rate limits are applied per API key using a sliding window algorithm. Test and live keys have independent rate limits.
Response Headers
Every API response includes rate limit headers:
| Header | Description | Example |
|---|---|---|
X-RateLimit-Limit | Maximum requests per window | 100 |
X-RateLimit-Remaining | Requests remaining in current window | 87 |
X-RateLimit-Reset | Unix timestamp when the window resets | 1741305660 |
429 Too Many Requests
When you exceed your rate limit, the API returns:
HTTP/1.1 429 Too Many RequestsX-RateLimit-Limit: 100X-RateLimit-Remaining: 0X-RateLimit-Reset: 1741305660{"error": {"code": "RATE_LIMIT_EXCEEDED","message": "Rate limit exceeded. Retry after 1741305660."}}
Best Practices
- Check headers proactively — Monitor
X-RateLimit-Remainingto throttle before hitting the limit. - Use exponential backoff — On 429, wait until
X-RateLimit-Resetbefore retrying. Add jitter to avoid thundering herd. - Batch where possible — Use batch endpoints (e.g.
POST /v1/compliance/batch/status) instead of individual calls. - Use webhooks — Instead of polling for status changes, subscribe to webhook events to reduce API calls.
- Separate keys by use case — Use different API keys for different services so one noisy service doesn't exhaust the limit for others.
Implementation Details
Rate limiting uses a Redis sorted set sliding window. Each request adds an entry with the current timestamp. The window spans 60 seconds. Expired entries are pruned on each request. This provides smooth, accurate rate limiting without the burst issues of fixed windows.