Skip to main content
API requests are rate-limited. Three windows apply simultaneously, and the same limits apply to every endpoint — reads and writes alike.

The limits

Exceeding any one of them returns 429 Too Many Requests.
Limits are counted per client IP address, not per API key. If several of your systems share an outbound IP, they share a single budget. Conversely, spreading traffic across hosts gives each its own.

Rate limit headers

Every response reports your standing in all three windows. Header names carry the window as a suffix:
The suffix matters. There is no unsuffixed X-RateLimit-Remaining or Retry-After — reading those returns nothing. Parse the suffixed names.

When you exceed the limit

You receive 429 with a body explaining the failure. Wait for the window named in the Retry-After-* header, then resume.
Exponential backoff

Designing within the limits

  • Don’t sync by polling. Instead of re-fetching all contacts hourly, push changes as they happen with events.
  • Mind the hourly ceiling. 1,000 requests per hour is the binding constraint for backfills — averaging under one call every 3.6 seconds. A job that respects the per-second limit can still exhaust the hour.
  • Batch your backfills. For large one-time contact imports, the dashboard’s CSV import avoids the API entirely and is the better tool.
  • Queue on your side. Put API calls on a job queue with retry and backoff rather than calling inline from request handlers.
  • Watch X-RateLimit-Remaining-long and slow down before it reaches zero — it beats reacting to 429s.