Rate Limits
All API endpoints are rate-limited using a sliding window algorithm. Limits are enforced per agent (for SDK endpoints) or per IP/user (for dashboard and auth endpoints).Limits by Endpoint
Auth endpoints enforce two independent limits: per-IP and per-account. The per-account limit
prevents credential stuffing attacks that rotate source IPs. Both limits must pass for a request
to proceed.
Response Headers
Every API response includes rate limit headers:Rate Limited Response
When a request is rate limited, the API returns HTTP429:
Retry Strategy
The SDK automatically retries429 and 5xx responses only for read-only calls and writes that
are protected by stable idempotency:
- Up to 3 retries with exponential backoff
- Respects
Retry-Afterheaders - Backoff: 1s, 2s, 4s (capped at 10s)
- Client errors (
4xxexcept429) are not retried - Payment execution, card writes, protocol records, and admin mutations are not automatically retried; reconcile their status before trying again