Skip to content

Rate Limits

The Customer API enforces rate limits to protect service stability and ensure fair usage across all integrators. Limits are applied per user (identified by OAuth client and user ID) unless otherwise noted.

Response Headers

Every response includes rate limit headers:

HeaderDescription
X-RateLimit-LimitMaximum requests allowed in the current window
X-RateLimit-RemainingRequests remaining in the current window
X-RateLimit-ResetUnix timestamp when the current window resets

When a rate limit is exceeded, the API returns a 429 Too Many Requests response with a Retry-After header indicating the number of seconds to wait before retrying.

Limits by Endpoint Group

Rate limits for authenticated endpoints are scoped to the combination of your OAuth client_id and the authenticated user_id. Each user of your integration has their own independent rate limit budget. Unauthenticated endpoints (authentication flows) are rate limited by client IP address.

Endpoint GroupLimit
Authentication (login, logout, authorize, signup, token)300/min
Agreements300/min
Counterparties300/min
Customer300/min
Notifications300/min
Pockets120/min
Portals300/min
Reports300/min
Subscriptions300/min
Team300/min
Trades120/min
Trading Strategies300/min
Transactions120/min
Transfer Requests (read)120/min
Transfer Requests (create)60/min, 1/sec
User300/min

Best Practices

  • Monitor response headers to track your remaining budget and avoid hitting limits.
  • Implement exponential backoff when you receive a 429 response. Use the Retry-After header to determine the minimum wait time.
  • Spread requests over time rather than sending bursts. Bursting can exhaust your per-minute budget quickly even if your average request rate is well within limits.