Rate limits
Per-key limits and response headers.
API keys share a per-minute rate limit bucket in Postgres.
Default limit
- 167 requests per minute per key when
user_api_keys.rate_limit_per_minuteis unset (platform default). - Platform admins may override the limit per key (1–10,000).
- All Bearer-enabled routes share one bucket per key.
When limits apply
Counts apply only after:
1. The key is valid, 2. The account is not suspended, and 3. X-Workspace-Id resolves to a workspace the key owner owns.
Response headers
Successful and failed responses after authentication on Bearer routes include:
| Header | Meaning |
|---|---|
X-RateLimit-Limit | Requests allowed per minute |
X-RateLimit-Remaining | Requests left in the current window |
X-RateLimit-Reset | Unix timestamp when the window resets |
File downloads (CSV, XLSX, PDF, zip) include the same headers.
Rate limit exceeded
HTTP 429 with JSON:
{
"error": "Rate limit exceeded",
"code": "RATE_LIMIT_EXCEEDED"
}The response includes a `Retry-After` header (seconds). Back off and retry after that interval.
Suspended accounts
HTTP 403 { "error": "Account suspended" } — no quota is consumed.