DocumentationRate limits
Rate limits
Request throttling, auth limits, and X-RateLimit-* response headers.
MailingCore applies request throttling to protect the platform. Limits are separate from your monthly email quota.
Global API limit (production)
| Setting | Value |
|---|---|
| Requests | 300 per minute per client |
| Window | 60 seconds (RATE_LIMIT_TTL_MS) |
| Development | 1000/min (default) |
When exceeded, the API returns 429 Too Many Requests with a retry message.
Auth endpoints (stricter)
Login and registration routes use a dedicated limit:
| Setting | Value |
|---|---|
| Requests | 15 per 15 minutes |
| Applies to | POST /auth/login, POST /auth/register, password reset, 2FA verify-login |
Response headers
Successful responses may include:
X-RateLimit-Limit: 300
X-RateLimit-Remaining: 287
X-RateLimit-Reset: 1719820800
| Header | Description |
|---|---|
X-RateLimit-Limit | Max requests in the current window |
X-RateLimit-Remaining | Requests left before throttling |
X-RateLimit-Reset | Unix timestamp when the window resets |
Best practices
- Backoff on 429 — wait until
X-RateLimit-Resetor use exponential backoff. - Batch sends — use POST /emails/batch instead of many single sends.
- Cache dashboard reads — avoid polling
/emails/logsfaster than needed. - Server-side auth — never hammer
/auth/loginfrom client-side retry loops.
See Error codes for the full error JSON format.