Skip to main content
Rate limits are applied per authenticated principal: per user (for SAML/OIDC) or per API key (for service accounts). Limits are enforced using a sliding window algorithm.

Default limits

LimitDefaultApplies to
Requests per minute60All endpoints combined
Burst10Additional requests above the per-minute rate allowed in short bursts
depth: deep lookups per minute10POST /v1/lookup with depth: deep only

Changing limits

Limits are configurable per deployment via environment variables:
RATE_LIMIT_REQUESTS_PER_MINUTE=60
RATE_LIMIT_BURST=10
RATE_LIMIT_DEEP_LOOKUPS_PER_MINUTE=10
Per-principal overrides (e.g. higher limits for a specific service account) are configured in the deployment’s role configuration file. Contact Intrace for details on custom limit tiers.

Rate limit headers

Every API response includes rate limit headers:
HeaderDescription
X-RateLimit-LimitThe request limit per minute for this principal.
X-RateLimit-RemainingRequests remaining in the current window.
X-RateLimit-ResetUnix timestamp when the current window resets.
When the limit is exceeded, the response is 429 Too Many Requests with a Retry-After header indicating how many seconds to wait.

Recommendations

  • For batch processing, space requests to stay within the per-minute limit rather than bursting and waiting.
  • Use depth: standard for high-volume screening workflows. Reserve depth: deep for targeted investigations where broader coverage is required.
  • Monitor X-RateLimit-Remaining in your integration and back off gracefully when it approaches zero.