Rate Limits
VaultsPay enforces request-rate limits to protect the platform. Limits are applied per API key.
| Tier | Requests per minute |
|---|---|
| Sandbox | 120 |
| Production | 600 |
| Enterprise | Custom |
Response headers
Every response includes:
| Header | Meaning |
|---|---|
X-RateLimit-Limit | Your current ceiling (requests / minute). |
X-RateLimit-Remaining | Requests you have left in the current window. |
X-RateLimit-Reset | UNIX timestamp when the window resets. |
When you exceed the limit
The API responds with HTTP 429 Too Many Requests and a Retry-After header (seconds).
429 Too Many Requests
{
"error": {
"code": "rate_limit_exceeded",
"message": "You have exceeded the allowed request rate."
}
}Best practices
- Retry with exponential backoff — double the wait time on each attempt (e.g. 1s → 2s → 4s → 8s).
- Batch operations — use the
/v1/batchendpoint for bulk mutations. - Use webhooks instead of polling — subscribe to events you care about rather than re-fetching resources.
async function withBackoff(fn, maxAttempts = 5) {
let attempt = 0
while (true) {
try {
return await fn()
} catch (err) {
if (err.status !== 429 || attempt >= maxAttempts) throw err
const wait = Math.min(30000, 2 ** attempt * 1000)
await new Promise(r => setTimeout(r, wait))
attempt++
}
}
}