Rate Limits

Understand rate limiting behavior and how to handle throttled requests.

Overview

Rate limiting is applied to specific API endpoints to prevent abuse and ensure service stability. Most REST API endpoints do not have per-request rate limits. The endpoints listed below enforce rate limiting using a token bucket algorithm.

Rate-Limited Endpoints

POST /domains/verify10/min

Per organization|Domain ownership verification requests

GET /domains/dns-check20/min

Per IP address|Domain DNS record lookups

SCIM /scim/v2/*100/min

Per organization|All SCIM 2.0 provisioning endpoints (Users, Groups)

GET /api/v1/audit-logs100/min

Per API key|SIEM audit log export

Response Headers

When a rate-limited endpoint returns a 429 Too Many Requests response, the following header is included:

Retry-AfterSeconds to wait before retrying the request

Handling 429 Responses

When you exceed the rate limit, the API returns a 429 Too Many Requests response. Implement exponential backoff with the Retry-After header:

async function fetchWithRetry(url, options, maxRetries = 3) {
  for (let attempt = 0; attempt < maxRetries; attempt++) {
    const response = await fetch(url, options);

    if (response.status === 429) {
      const retryAfter = response.headers.get('Retry-After');
      const waitTime = retryAfter
        ? parseInt(retryAfter) * 1000
        : Math.pow(2, attempt) * 1000;
      await new Promise(resolve => setTimeout(resolve, waitTime));
      continue;
    }

    return response;
  }
  throw new Error('Max retries exceeded');
}