Rate limits
Each API key can make up to 60 requests per minute. Every response includes headers showing how many requests you have left in the current window.
Response headers
Every authenticated response carries these three:
| Header | Value |
|---|---|
X-RateLimit-Limit | Requests allowed per window (currently 60). |
X-RateLimit-Remaining | Requests left in the current window. |
X-RateLimit-Reset | Unix seconds when the window resets. |
When you exceed the limit
You get a 429 rate_limited response with a Retry-After: <seconds> header pointing at the next window boundary:
{"HTTP/1.1 429 Too Many Requests\nRetry-After: 42\n\n{\"error\":{\"code\":\"rate_limited\",\"message\":\"...\",\"retry_after\":42}}"}
Fixed vs sliding window
The window is fixed, not sliding. In the worst case that means a boundary burst of about 120 requests in one second (last second of window N plus first second of window N+1). If that boundary behavior matters for your workload, get in touch and we can switch you to a sliding window.
Edge protection
In addition to the per-key limiter, a per-IP rate limit shed volumetric junk before it reaches the app. Legitimate traffic never gets close.