Rate limiting
Two separate rate limits apply depending on which endpoint you are calling. Both assume an authenticated client — see Authentication for getting and caching a token.
Token endpoint
The POST /oauth/token endpoint allows 100 requests per hour per client_id. Token caching is the primary mitigation — a correctly cached token needs at most one token request per hour.
A 429 response from the token endpoint:
{
"error": "too_many_requests",
"error_description": "Rate limit exceeded for OAuth token requests. Maximum 100 requests per hour allowed. Try again in 420 seconds."
}
The error_description includes the number of seconds until the window resets. Wait that duration before retrying.
GraphQL API
The GraphQL endpoint allows 3600 requests per hour per IP address. Every response includes rate limit headers:
| Header | Description |
|---|---|
X-RateLimit-Limit | Maximum requests allowed in the current window |
X-RateLimit-Remaining | Requests remaining before the limit is hit |
X-RateLimit-Reset | Unix timestamp when the window resets |
A 429 from the GraphQL endpoint is a plain HTTP response — not a GraphQL error envelope:
HTTP 429 Too Many Requests
Too many requests from this IP, please try again later
Do not attempt to parse it as a GraphQL response.
Handling 429 responses
- Check
X-RateLimit-Reset— wait until that Unix timestamp before retrying. - If the header is absent, use exponential backoff starting at 1 second.
- Monitor
X-RateLimit-Remainingproactively and slow down requests before hitting zero. - Never retry immediately on a 429 — the request will fail again.