There are no published per-plan quotas to request an increase against. If a well-behaved integration is hitting limits, that usually points to a traffic pattern worth fixing (see Build a well-behaved client) rather than a quota to raise.
How limits are applied
Limits are enforced independently per service and are evaluated globally across that service’s instances — you can’t escape a limit by landing on a different server. A request is identified by a combination of:- Your IP address — every request counts against a per-IP limit.
- Your access token — the full
Authorizationheader. Requests with no auth header skip the token limiter but still count against the IP limiter, so send a stable token to be limited as you rather than lumped in with everyone sharing an IP. - The endpoint path — on some public surfaces, specific paths have their own limits.
429 Too Many Requests.
Traffic limits by surface
These are sustained per-second limits. When exceeded, the key is blocked for a short cooldown before requests are accepted again.The GraphQL API endpoint is the one most integrations call for deposits, purchases, transfers, and reveals — plan around 20 requests per second there. The mobile/app gateway’s per-IP, per-token, and per-endpoint limits are configured per environment and aren’t published as fixed numbers; treat them as protective and back off on
429.Authentication & security
Sign-in, PIN, and two-factor (2FA) flows are protected separately from general API traffic. Repeated failed attempts — logins, PIN checks, or 2FA verification — and excessive 2FA or SMS requests trigger temporary lockouts that clear on their own after a cooldown. Successful authentication resets these counters.When you exceed a limit
Every rate-limited response uses status429 Too Many Requests. The body and headers vary by surface:
Retry-After(integer seconds) is returned on the authentication IP limiter and the PIN/2FA flows. It is not guaranteed on the general GraphQL/web traffic limiters.- There are currently no
X-RateLimit-Limit,X-RateLimit-Remaining, orX-RateLimit-Resetheaders — don’t build logic that depends on them.
Build a well-behaved client
1
Treat 429 as retryable
Honor
Retry-After when it’s present. When it isn’t, back off exponentially starting around 1 second (1s → 2s → 4s…) rather than retrying immediately.2
Keep sustained rates modest
Don’t parallel-blast a surface from a single IP or token. For the GraphQL API, stay comfortably under 20 requests/second and smooth out bursts.
3
Don't auto-retry auth failures
Repeated login, PIN, or 2FA failures cause temporary lockouts. Show the user a “try again later” message instead of retrying automatically.
4
Send a stable access token
Authenticate every request with your token so token-based limits apply to your traffic specifically, instead of being aggregated with others behind a shared IP.
Retry-After isn’t guaranteed everywhere, pair your retry logic with idempotency keys so a retried mutation never double-processes a purchase or transfer. For the full error catalog, see Errors.