Rate Limits

Endpoint type	Limit	Scope
Authentication	10 req/min	per IP
Runtime config	1,000 req/min	per embed token
Consent submit	300 req/min	per embed token
Consent revoke	60 req/min	per embed token
Scan creation	10 req/min	per tenant
Media upload	20 req/min	per tenant
Management (general)	120 req/min	per API key

Rate limit headers

Every response includes:

X-RateLimit-Limit: 120
X-RateLimit-Remaining: 87
X-RateLimit-Reset: 1741521600

When rate limited, you receive a 429 response:

{
  "error": {
    "code": "rate_limited",
    "message": "Too many requests. Try again in 30 seconds."
  }
}

Handling rate limits

Implement exponential backoff when you receive a 429:

async function fetchWithRetry(url, options, maxRetries = 3) {
  for (let attempt = 0; attempt < maxRetries; attempt++) {
    const res = await fetch(url, options);
    if (res.status !== 429) return res;

    const retryAfter = parseInt(res.headers.get('X-RateLimit-Reset')) - Date.now() / 1000;
    await new Promise(r => setTimeout(r, (retryAfter + 1) * 1000));
  }
  throw new Error('Rate limit retries exhausted');
}

Rate limit headers​

Handling rate limits​

Rate limit headers

Handling rate limits