Rate limits, quota & errors

Two limits protect the platform: a short-window rate limit per token and a monthly call quota per company. Both surface in headers and in structured error bodies.

Rate limit — 30 / minute

Each token may make up to 30 requests per minute, refilled continuously (a token bucket). Every response includes the current budget:

RateLimit-Limit: 30
RateLimit-Remaining: 27
RateLimit-Reset: 2

Exceed it and you get 429 with a Retry-After header telling you how many seconds to wait before retrying.

Monthly quota — 50,000 / month

Across all tokens, a company may make up to 50,000 calls per calendar month (UTC). The counter resets at the start of each month. When the cap is reached, further calls return 429 with code quota_exceeded. Read the running total any time in Settings ▸ API.

Tip. Use ETag/If-None-Match and sparse fieldsets to cut chatter, and honour Retry-After with backoff. Only authenticated calls count — a rejected bad-token request is not metered.

Errors are RFC 9457

Failures return application/problem+json with a stable code you can branch on, a human title, the status, and often a detail:

HTTP/1.1 403 Forbidden
Content-Type: application/problem+json

{
  "type": "about:blank",
  "title": "Token lacks the required scope",
  "status": 403,
  "code": "insufficient_scope",
  "detail": "Required scope: PROJECTS_VIEW"
}

Status codes you will see

StatusWhen
200 / 201Success; 201 on a create.
304Conditional GET matched your If-None-Match.
400invalid_request — a parameter or body field is missing or malformed.
401unauthorized — missing, invalid or revoked token.
402feature_off or quota_exceeded — add-on not enabled, or a plan record quota reached.
403forbidden / insufficient_scope — IP blocked or scope not granted.
404not_found — no such endpoint or record.
409Conflict — locked record, delete blocked, or an idempotency-key clash.
429Rate limit or monthly quota exceeded.
Docs

Frequently asked questions

The 30/minute rate limit is per token. The 50,000/month quota is per company across all its calls.

At the start of each calendar month in UTC. The used count is visible in the ERP under Settings ▸ API.

Only calls that pass token authentication are metered. Anonymous or bad-token requests are rejected without touching your monthly counter.