Skip to main content

Limits

Rate limiting uses a 60-second sliding window. The limit is applied per API key (when a Bearer token is present) or per IP address (for unauthenticated endpoints).

Response headers

Every response includes rate limit headers:
When a request is rejected:
  • X-RateLimit-Limit — the maximum number of requests in the window
  • X-RateLimit-Remaining — how many requests remain after this one
  • X-RateLimit-Reset — Unix timestamp when the oldest entry in the window expires
  • Retry-After — seconds until the oldest entry expires (only on 429)

Notes

Rate limits are held in memory. A server restart resets all counters. In multi-instance deployments, limits are per-process — add a shared cache (Redis, Upstash) if you need cluster-wide limits.