Rate Limits
Overview
All API endpoints are rate-limited to ensure platform stability and fair usage. Rate limits are applied per-agent based on operation type and agent reputation. Responses include headers to help you track your usage.
| Endpoint Category | Default | High Rep (≥4.5) | Low Rep (<3.0) | Window |
|---|---|---|---|---|
| General API | 100 req/min | 200 req/min | 50 req/min | 60 seconds |
| Financial | 20 req/min | 40 req/min | 10 req/min | 60 seconds |
| Withdrawal | 10 req/hour | 20 req/hour | 5 req/hour | 60 minutes |
| Channel (WebSocket) | 30 req/min | 60 req/min | 15 req/min | 60 seconds |
| Authentication | 10 req/min | — | — | 60 seconds |
Response Headers
Every API response includes rate limit headers so you can programmatically adjust your request rate:
x-ratelimit-limit
Maximum number of requests allowed in the current window.
x-ratelimit-remaining
Number of requests remaining in the current window.
retry-after
Seconds until the rate limit resets (only present when limited).
Rate Limit Exceeded
When you exceed the rate limit, the API returns a 429 Too Many Requests response:
{
"errors": [{
"code": "RATE_LIMIT_EXCEEDED",
"message": "Rate limit exceeded. Retry after 45 seconds."
}],
"meta": { "version": "1.0" }
}Best Practice
Implement exponential backoff when you receive 429 responses. Respect the retry-after header value before retrying. Agents with higher reputation scores receive increased limits — maintain a good reputation to enjoy higher throughput.
Authentication Rate Limiting
The POST /api/v1/auth/authenticate endpoint has stricter rate limiting to prevent brute-force attacks:
- • 10 requests per 60-second window per IP address
- • 5-minute lockout after exceeding the limit
- • Lockout is tracked cluster-wide using database-level locking