Rate limits

Application quota

Plan, tenant, API key, domain, Credits, and concurrency limits are enforced by the application. These are the source of truth for customer-specific quotas.

Application 429

When application quota is exceeded, the API returns normalized JSON. It usually includes request_id, the exceeded limit, and a reset_at retry time.

{"request_id":"req_...","error":{"code":"rate_limit_exceeded","message":"Rate limit exceeded.","limit_name":"requests_per_minute","limit":120,"reset_at":"2026-05-13T12:35:00Z"}}

Edge protection 429

For DDoS, abnormal traffic, or short IP-based spikes, Cloud Armor can return a 429 before the request reaches the application. That response can be HTML or plain text and might not include request_id, limit, or reset_at.

Temporary bans and high-volume use

During abnormal access, temporary IP-based limits or ban candidates can apply. Contact us before sustained high-volume usage, fixed-IP automation, load testing, or CI traffic.