Rate limits

Requests are limited per API key (per IP address for unauthenticated requests). The default is 120 requests per minute; individual deployments may configure a different value. Read the rate-limit headers on every response and back off when you're throttled.

Rate-limit headers

Every response carries the current bucket state:

Response headers

X-RateLimit-Limit: 120
X-RateLimit-Remaining: 118
  • Name
    X-RateLimit-Limit
    Type
    integer
    Description

    The maximum number of requests allowed per minute for this key.

  • Name
    X-RateLimit-Remaining
    Type
    integer
    Description

    Requests remaining in the current window. When it hits 0, further requests are rejected until the window resets.

When you exceed the limit

Over-limit requests return 429 with a Retry-After header (in seconds) and a rate_limit_error:

429 Too Many Requests

{
  "error": {
    "type": "rate_limit_error",
    "code": "rate_limit_exceeded",
    "message": "Too many requests. Slow down and retry after the interval in the Retry-After header."
  }
}

Guidance

  • Spread bulk work. Prefer one mass import over thousands of individual passport creations — it's dramatically fewer requests and far kinder to the limit.
  • Keys aren't a throughput multiplier. Each key has its own bucket, but issuing more keys to sidestep the limit isn't supported. If you consistently need more headroom, contact support.
  • Watch X-RateLimit-Remaining. Slow down proactively as it approaches 0 rather than waiting for a 429.

Was this page helpful?