The InfraAudit API applies rate limits per authenticated user to prevent abuse and ensure availability for all accounts. Rate limit status is returned in response headers on every request.
Every API response includes the following headers:
| Header | Description |
|---|
X-RateLimit-Limit | Maximum number of requests allowed in the current window |
X-RateLimit-Remaining | Requests remaining before you hit the limit |
X-RateLimit-Reset | Unix timestamp (seconds) when the current window resets |
X-RateLimit-Limit: 100
X-RateLimit-Remaining: 87
X-RateLimit-Reset: 1712345678
When you exceed the limit
When your request count exceeds the limit, the API returns 429 Too Many Requests:
{
"error": "rate limit exceeded",
"retryAfter": 30
}
The number of seconds to wait before retrying your request.
Handling 429 responses
Wait for the number of seconds in retryAfter before retrying. Do not immediately retry — doing so consumes more of your remaining quota.
response_code=$(curl -s -o /dev/null -w "%{http_code}" \
https://api.infraaudit.dev/v1/resources \
-H "Authorization: Bearer $TOKEN")
if [ "$response_code" = "429" ]; then
retry_after=$(curl -s https://api.infraaudit.dev/v1/resources \
-H "Authorization: Bearer $TOKEN" | jq '.retryAfter')
echo "Rate limited. Waiting ${retry_after}s..."
sleep "$retry_after"
# Retry the request
fi
Check X-RateLimit-Remaining before making bursts of requests. If the value is low, add a short delay between calls to avoid hitting the limit.
Self-hosted deployments can adjust rate limit defaults via environment variables. See the configuration reference for available options.