Rate limits

The API applies a request limit per API key to prevent abuse. If you exceed it, you will receive 429 Too Many Requests.

Behavior

• Window: 60 seconds.
• Max requests per window: 300 per API key.
• Response when exceeded: HTTP 429 with a body similar to:

{
  "message": "Demasiadas peticiones. Intente de nuevo más tarde.",
  "code": "RATE_LIMIT_EXCEEDED"
}

The limit only applies to requests authenticated with an API key; the web session is not subject to this limit.

When the per-key limit applies

The per–API key counter (300 requests / 60 seconds per keyId) is only active when the API server has Redis configured and reachable. If Redis is not used in a given deployment, that per-key bucket is not enforced (API key requests will not get 429 from that mechanism). Other global API rate limits (by IP or route) may still apply from infrastructure settings.

Recommendations

1. Retries with backoff: On 429, wait a few seconds and retry. Do not retry immediately in a loop.
2. Concurrency control: Avoid sending hundreds of requests in parallel with the same key.
3. Caching and pagination: Use pagination on lists and cache data that changes infrequently to reduce calls.
4. Multiple keys: If you need more capacity, consider using different keys per environment or per application, where it makes sense for your use case.

See also Best practices and Common errors.