Rate Limiting

Overview

To ensure responsible usage of the SheerID REST API, we have instituted various rate limiting policies for REST endpoints. Callers should familiarize themselves with these limits and implement applications with these policies in mind.

Policies

The applicable rate limit policies for a given endpoint are listed on that endpoint's documentation page, which can be found in the REST Resources Documentation. All requests against a given endpoint count against the rate limit, including user errors as indicated by a 4XX response code.

Rate limits are enforced by counting the number of actions taken in a rolling window of time, such as the last 15 minutes. If the total number of actions in this window of time is higher than the allowable limit for that period, the request will be rejected with HTTP status code 429: Too Many Requests. Callers can wait for older actions to expire out of the rolling window before re-submitting the request, or wait until the end of the window for the count to completely reset.

Response Headers

In order to convey rate limiting status to integrators, the SheerID REST API returns various HTTP response headers with information about the status of the applicable rate limit policies. Consult the table below for more information.

Header Name Value
X-RateLimit-Account-Limit The total number of actions allowed by the policy
X-RateLimit-Account-Remaining The number of actions remaining
X-RateLimit-Account-Reset A UTC timestamp (millisecond resolution) that marks the end of the rolling window. If no more actions subject to this rate policy are taken, the remaining count will be equal to the limit at this time.

Whitelisting

Some API users will have a legitimate need for higher rate limit thresholds. SheerID can raise these limits upon request.