DocumentationRate limits

Rate limits

Request throttling, auth limits, and X-RateLimit-* response headers.

MailingCore applies request throttling to protect the platform. Limits are separate from your monthly email quota.

Global API limit (production)

SettingValue
Requests300 per minute per client
Window60 seconds (RATE_LIMIT_TTL_MS)
Development1000/min (default)

When exceeded, the API returns 429 Too Many Requests with a retry message.

Auth endpoints (stricter)

Login and registration routes use a dedicated limit:

SettingValue
Requests15 per 15 minutes
Applies toPOST /auth/login, POST /auth/register, password reset, 2FA verify-login

Response headers

Successful responses may include:

X-RateLimit-Limit: 300
X-RateLimit-Remaining: 287
X-RateLimit-Reset: 1719820800
HeaderDescription
X-RateLimit-LimitMax requests in the current window
X-RateLimit-RemainingRequests left before throttling
X-RateLimit-ResetUnix timestamp when the window resets

Best practices

  1. Backoff on 429 — wait until X-RateLimit-Reset or use exponential backoff.
  2. Batch sends — use POST /emails/batch instead of many single sends.
  3. Cache dashboard reads — avoid polling /emails/logs faster than needed.
  4. Server-side auth — never hammer /auth/login from client-side retry loops.

See Error codes for the full error JSON format.