Rate Limits

Attlaz rate limits every API request made to prevent abuse and resource overuse. The limit is applied to each unique combination of caller and endpoint.

We restrict both how frequently a request is made (requests per second rate limit) and how many concurrent requests a caller can make (concurrent rate limit).

The requests per second rate limit follows a fixed window approach. Requests are counted into time buckets, determined by the window size. If the number of requests from a caller exceeds the number of allowed requests within a window, then that request will be rejected. While there is a default rate limit of 40 requests per second, each endpoint can have their own maximum number of requests and window size.

Meanwhile, the concurrent rate limiter will reject requests if the caller has too many requests in progress at the same time.

You can track your rate limit usage by looking at special headers in the response.

Headers

Every API request response includes the following headers:

• X-Attlaz-Rate-Limit-Limit
• The maximum number of requests allowed within the window
• X-Attlaz-Rate-Limit-Remaining
• The number of requests this caller has left on this endpoint within the current window
• X-Attlaz-Rate-Limit-Reset
• The time when the next rate limit window begins and the count resets, measured in UTC seconds from epoch
• X-Attlaz-Rate-Limit-ConcurrentLimit
• The maximum number of concurrent requests allowed within the window
• X-Attlaz-Rate-Limit-ConcurrentRemaining
• The number of concurrent requests this caller has left on this endpoint within the current window

Additional Information

The rate limiter looks at the caller's identity instead of the bearer token or cookie. As such, the rate limit cannot be bypassed by generating multiple tokens.