Home / API Reference / Rate Limits

Rate Limits & API Quotas

Guidelines for making requests to the CyberVault API. Understanding rate limits ensures optimal performance and protects your organization from accidental quota exhaustion.

Default Rate Limits

Rate limits are applied per API key and vary based on your subscription tier. Limits are calculated using a sliding window algorithm.

Subscription Tier Requests / Minute Requests / Day Burst Allowance
Starter 60 10,000 10 simultaneous
Professional 300 100,000 50 simultaneous
Enterprise 1,000+ Unlimited* Custom

* Enterprise daily caps are negotiated based on expected traffic volume and use-case.

Endpoint-Specific Overrides

Certain computationally intensive or sensitive endpoints have stricter limits regardless of tier:

d>Brute-force protection
Endpoint Category Limit Reset Window Notes
POST /v1/auth/login 10 / min 60s
POST /v1/threats/scan 5 / min 60s Heavy computation; uses background jobs
POST /v1/reports/generate 20 / min 60s PDF/CSV generation
GET /v1/incidents/* 120 / min 60s Standard read limit

Response Headers & 429 Handling

Every API response includes rate limit metadata. When you exceed your quota, the API returns 429 Too Many Requests.

Standard Headers

HTTP/1.1 200 OK 
X-RateLimit-Limit: 300
X-RateLimit-Remaining: 247
X-RateLimit-Reset: 1718947260
Retry-After: 12
⚠️

Important: Always respect the Retry-After header when receiving a 429. Implementing exponential backoff with jitter is strongly recommended to avoid thundering herd scenarios.

Example 429 Response

HTTP/1.1 429 Too Many Requests 
{
  "error": {
    "code": "RATE_LIMIT_EXCEEDED",
    "message": "You have exceeded your API rate limit. Please retry after 12 seconds.",
    "retry_after": 12,
    "documentation_url": "https://docs.cybervault.io/rate-limits"
  }
}

Best Practices

  1. Cache aggressively: Use ETag and Last-Modified headers to reduce redundant requests.
  2. Batch operations: Use bulk endpoints (e.g., /v1/threats/bulk-check) instead of looping individual calls.
  3. Implement backoff: Start with a 1s delay, doubling on each retry up to 30s. Add 10-30% random jitter.
  4. Monitor usage: Track your X-RateLimit-Remaining values in your application metrics.
  5. Separate keys: Use dedicated API keys for production, staging, and CI/CD pipelines to isolate quota usage.

Requesting Higher Limits

If your architecture requires higher throughput or custom rate limit policies, our engineering team can provision dedicated routing and quota overrides. Limit increases typically take effect within 24 hours of approval.

Need custom rate limits or dedicated infrastructure?

Contact our API solutions team for enterprise-tier adjustments.

Request Limit Increase →

FAQ

Q: Do rate limits apply globally or per region?
A: Limits are enforced per API key, regardless of the edge region you connect to. Multi-region failover shares the same quota pool.

Q: What happens when I hit the daily cap?
A: The API will return 429s until the calendar day resets (UTC midnight). Unlike minute limits, daily caps do not have a burst allowance.

Q: Can I view my usage in real-time?
A: Yes. Use the GET /v1/dashboard/usage endpoint or visit the Developer Portal for live metrics and historical graphs.