Rate Limiting
Rate Limiting
The Skycloak API enforces per-consumer rate limits to ensure fair use and platform stability.
Limits
| Window | Limit |
|---|---|
| Per second | 5 requests |
| Per minute | 300 requests |
| Per hour | 5,000 requests |
| Per day | 25,000 requests |
Rate limits are applied per workspace.
Response Headers
Every API response includes rate limit headers. The IETF standard headers reflect the most restrictive active window:
| Header | Description |
|---|---|
RateLimit-Limit |
Maximum requests allowed in the current window |
RateLimit-Remaining |
Requests remaining in the current window |
RateLimit-Reset |
Seconds until the current window resets |
Per-window headers give granular visibility into each time window:
| Header | Description |
|---|---|
X-RateLimit-Limit-Second |
Per-second request limit |
X-RateLimit-Remaining-Second |
Requests remaining this second |
X-RateLimit-Limit-Minute |
Per-minute request limit |
X-RateLimit-Remaining-Minute |
Requests remaining this minute |
X-RateLimit-Limit-Hour |
Per-hour request limit |
X-RateLimit-Remaining-Hour |
Requests remaining this hour |
X-RateLimit-Limit-Day |
Per-day request limit |
X-RateLimit-Remaining-Day |
Requests remaining today |
Example headers:
RateLimit-Limit: 5
RateLimit-Remaining: 3
RateLimit-Reset: 1
X-RateLimit-Limit-Second: 5
X-RateLimit-Remaining-Second: 3
X-RateLimit-Limit-Minute: 300
X-RateLimit-Remaining-Minute: 287
X-RateLimit-Limit-Hour: 5000
X-RateLimit-Remaining-Hour: 4980
X-RateLimit-Limit-Day: 25000
X-RateLimit-Remaining-Day: 24960
Handling 429 Responses
When you exceed a limit, the API returns 429 Too Many Requests with a Retry-After header indicating how many seconds to wait:
Retry-After: 1
{
"type": "https://skycloak.io/docs/api/errors#rate-limit-exceeded",
"title": "Rate Limit Exceeded",
"detail": "Rate limit exceeded. Retry after 1 second.",
"status": 429
}Retry Strategy
Always retry 429 responses — respect the Retry-After header value. For transient server errors (500, 503), use exponential backoff with jitter:
- Wait for the
Retry-Afterduration (for 429) or start with 1s (for 5xx) - Double the delay on each subsequent retry
- Cap the delay at a maximum (e.g., 32s)
- Add random jitter to avoid thundering-herd problems
Never retry 4xx errors other than 429 — they indicate a problem with the request itself.
Last updated on