429 status code, but they mean different things and should be handled differently.
Rate Limits (Per-Minute)
All endpoints are limited to 120 requests per 60 seconds per API key. Unauthenticated requests (missing or invalid key) are rate limited per IP address. When you exceed the limit, the API returns a429 with error type rate_limit_error. This means “slow down and retry in a few seconds.”
Rate Limit Headers
Every authenticated response includes headers so you can monitor your usage:| Header | Description |
|---|---|
X-RateLimit-Limit | Maximum requests allowed per window (120) |
X-RateLimit-Remaining | Requests remaining in the current window |
X-RateLimit-Reset | Unix timestamp when the window resets |
Retry-After | Seconds to wait before retrying (only present on 429 responses) |
Monthly API Call Limits
Each company has a monthly cap on total API calls, based on its plan:| Plan | Monthly Limit |
|---|---|
| Formation (free) | 10 |
| Startup ($30/month) | 300 |
| Growth ($300/month) | 30,000 |
429 with error type limit_error. This means “you are out of quota for the month, upgrade or wait for the reset.”
What counts: All authenticated requests count, regardless of HTTP status. A 400 from bad params counts the same as a 200. Only unauthenticated requests (401) and burst-rate-limited requests do not count. Blocked requests (after hitting the monthly limit) are also not counted.
Best Practices
- Check headers proactively. Monitor
X-RateLimit-Remainingand slow down before you hit the burst limit. - Use larger page sizes. When paginating, set
limitup to 500 to pull more data per request and reduce total calls. - Add backoff logic. If you receive a
429withrate_limit_error, wait for theRetry-Afterperiod. If you receive a429withlimit_error, stop making requests and either upgrade or wait for the monthly reset. - Cache responses. If you’re repeatedly pulling the same data, cache it on your end to conserve your monthly quota.