Rate limits
Rate limits are enforced per API key, per endpoint, per minute. They protect both us (capacity) and you (a runaway script).
Default limits
| Endpoint class | Default limit | Where it applies |
|---|---|---|
Read endpoints (GET) | 600 req/min | All GET endpoints |
Standard writes (POST, PATCH) | 120 req/min | Default for any write that doesn't have a special bucket |
| Login / token endpoints | 5 req/min per IP | /api/auth/login, password resets |
| Fast-path evaluators | 600–1000 req/min | POST /api/evaluate, POST /api/transactions/evaluate — high volume by design |
| Screening / synchronous scoring | 60 req/min | POST /api/screenings, POST /api/lookup |
| File uploads | 60 req per 10 min | POST /api/documents/upload, POST /api/analyses/upload |
Per-product overrides are documented on each product's overview page.
Headers
Every response includes:
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 47
X-RateLimit-Reset: 1716552060
Retry-After: 13 ← present only on 429Resetis a Unix timestamp (seconds).Retry-Afteris seconds to wait, present only when you're rate-limited.
What a 429 looks like
{
"error": "rate limit exceeded",
"bucket": "screenings.create",
"limit": 60
}The bucket field tells you which limit you hit — useful when one key calls multiple endpoints with different limits.
Higher limits
If your traffic doesn't fit the defaults, talk to us before you launch. We tune limits per org, especially for:
- Real-time transaction monitoring (banks, e-money, wallets) — usually 5,000–20,000 req/min on
POST /api/transactions/evaluate. - Bulk batch screening at quarter-end — burst windows, not steady-state.
- Mobile-app device-session registrations at install time — usually 500–2,000 req/min on
POST /api/device-session.
Email sales@quantumelixir.tech with your expected p95 RPS, geographic distribution, and tolerance for queueing.
Client-side advice
Build a token bucket on your side too
Don't rely on our 429s as your only rate control. Implement a client-side token bucket that stays comfortably below your provisioned limit — that way retries never compound, and you keep headroom for occasional bursts.
The Quantum Elixir client SDKs (TypeScript, Python, Go) handle 429s and exponential backoff automatically. Roll-your-own integrations should match that behaviour.