Rate Limits
Throttle scopes, rates, and applicable endpoints.
Throttle Scopes
| Scope | Rate | Throttle Key | Endpoints |
|---|---|---|---|
api_key_create |
50/second | Per API key | POST /api/v1/payment-sessions/ |
api_key_cancel |
50/second | Per API key | POST /api/v1/payment-sessions/{token}/cancel/ |
browser_read |
1/second | Per IP | GET /api/v1/payment-sessions/{token}/ |
browser_pay |
1/second | Per IP | POST /api/v1/payment-sessions/{token}/pay/ |
browser_verify |
1/second | Per IP | POST /api/v1/payment-sessions/{token}/verify/ |
iban_validate |
50/second | Per API key | POST /api/v1/iban-validate/ |
api_key_reconciliation |
50/second | Per API key | GET /api/v1/reconciliation/transactions/, GET /api/v1/reconciliation/chargebacks/, GET /api/v1/reconciliation/subscriptions/ |
Throttle Key Resolution
The ApiKeyRateThrottle class determines the throttle key based on authentication method:
| Authentication | Throttle Key |
|---|---|
API key (rk_ prefix) |
API key primary key (per-key throttling) |
Session token (ps_ prefix) |
Client IP address |
| Unauthenticated | Client IP address |
Rate Limit Response
When a rate limit is exceeded, the API returns:
HTTP/1.1 429 Too Many Requests
Retry-After: 60
{
"detail": "Request was throttled. Expected available in 60 seconds.",
"status_code": 429
}
The Retry-After header indicates how many seconds to wait before retrying.
Default Throttle Class
All endpoints use DRF's ScopedRateThrottle as the default throttle class. Views override with ApiKeyRateThrottle when per-API-key throttling is needed.
DEFAULT_THROTTLE_CLASSES = ['rest_framework.throttling.ScopedRateThrottle']