Rate limits
Rate limits apply at several levels. When a limit is exceeded the API
returns 429 Too Many Requests. Key and endpoint limits name the
specific limit in the message. The IP layer returns a generic message.
| Layer | Limit | Window | Scope |
|---|---|---|---|
| Global IP | 300 requests | 60 seconds | Per IP address |
| Per API key | 100 requests | 60 seconds | Per REST API secret |
| Statistics endpoint | 10 requests | 60 seconds | Per domain |
| Export endpoint | 5 requests | 1 hour | Per domain |
| Delete endpoint | 10 requests | 60 seconds | Per API key |
| Consent proof | 20 requests | 60 seconds | Per domain |
Working within the limits
- Consent status responses are cached for 30 seconds per visitor, and repeated checks within that window are inexpensive.
- Domain info and cookie declarations are cached for 5 minutes.
- For bulk reads, use List consents with pagination or a scheduled export instead of many single-visitor calls.