Rate limiting
Two layers apply; the stricter one wins:
| Layer | Default | Scope |
|---|---|---|
| Per-key general limit | 60/min (configurable per key) | all endpoints |
| Messaging send limit | lower per-minute + daily cap per channel | SMS / WhatsApp / Email send |
Every response includes rate-limit headers:
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 58
On exceed → 429 Too Many Requests:
HTTP/1.1 429 Too Many Requests
Retry-After: 23
{ "error": { "code": "rate_limited", "message": "Rate limit exceeded. Retry after 23 seconds." } }
Back off and retry after Retry-After seconds. Use exponential backoff with jitter under
sustained load. Limits are keyed on your API key, not your IP — so embedded widgets calling
from many end-user IPs share one budget.