Rate limits
Requests are limited per API key (per IP address for unauthenticated requests). The default is 120 requests per minute; individual deployments may configure a different value. Read the rate-limit headers on every response and back off when you're throttled.
Rate-limit headers
Every response carries the current bucket state:
Response headers
X-RateLimit-Limit: 120
X-RateLimit-Remaining: 118
- Name
X-RateLimit-Limit- Type
- integer
- Description
The maximum number of requests allowed per minute for this key.
- Name
X-RateLimit-Remaining- Type
- integer
- Description
Requests remaining in the current window. When it hits
0, further requests are rejected until the window resets.
When you exceed the limit
Over-limit requests return 429 with a Retry-After header (in seconds) and a rate_limit_error:
429 Too Many Requests
{
"error": {
"type": "rate_limit_error",
"code": "rate_limit_exceeded",
"message": "Too many requests. Slow down and retry after the interval in the Retry-After header."
}
}
Guidance
Honor Retry-After — wait the specified number of seconds before retrying.
Hammering a throttled endpoint only extends the backoff.
- Spread bulk work. Prefer one mass import over thousands of individual passport creations — it's dramatically fewer requests and far kinder to the limit.
- Keys aren't a throughput multiplier. Each key has its own bucket, but issuing more keys to sidestep the limit isn't supported. If you consistently need more headroom, contact support.
- Watch
X-RateLimit-Remaining. Slow down proactively as it approaches0rather than waiting for a429.