Rate limits, quota & errors
Two limits protect the platform: a short-window rate limit per token and a monthly call quota per company. Both surface in headers and in structured error bodies.
Rate limit — 30 / minute
Each token may make up to 30 requests per minute, refilled continuously (a token bucket). Every response includes the current budget:
RateLimit-Limit: 30
RateLimit-Remaining: 27
RateLimit-Reset: 2Exceed it and you get 429 with a Retry-After header telling you how many seconds to wait before retrying.
Monthly quota — 50,000 / month
Across all tokens, a company may make up to 50,000 calls per calendar month (UTC). The counter resets at the start of each month. When the cap is reached, further calls return 429 with code quota_exceeded. Read the running total any time in Settings ▸ API.
ETag/If-None-Match and sparse fieldsets to cut chatter, and honour Retry-After with backoff. Only authenticated calls count — a rejected bad-token request is not metered.Errors are RFC 9457
Failures return application/problem+json with a stable code you can branch on, a human title, the status, and often a detail:
HTTP/1.1 403 Forbidden
Content-Type: application/problem+json
{
"type": "about:blank",
"title": "Token lacks the required scope",
"status": 403,
"code": "insufficient_scope",
"detail": "Required scope: PROJECTS_VIEW"
}Status codes you will see
| Status | When |
|---|---|
| 200 / 201 | Success; 201 on a create. |
| 304 | Conditional GET matched your If-None-Match. |
| 400 | invalid_request — a parameter or body field is missing or malformed. |
| 401 | unauthorized — missing, invalid or revoked token. |
| 402 | feature_off or quota_exceeded — add-on not enabled, or a plan record quota reached. |
| 403 | forbidden / insufficient_scope — IP blocked or scope not granted. |
| 404 | not_found — no such endpoint or record. |
| 409 | Conflict — locked record, delete blocked, or an idempotency-key clash. |
| 429 | Rate limit or monthly quota exceeded. |