Rate Limiting
Debitura enforces rate limits on all external APIs to protect system stability. Limits apply per API key across three time windows.
Default Limits
| Window | Limit | Type |
|---|---|---|
| Per minute | 2,000 requests | Sliding window |
| Per hour | 20,000 requests | Fixed window |
| Per day | 100,000 requests | Fixed window (UTC) |
A request is rejected if it exceeds any of the three limits. Each API key maintains independent counters.
Rate Limit Response
When you exceed a limit, the API returns HTTP 429:
{
"error": "rate_limit_exceeded",
"message": "Too many requests. Please try again later or contact support if you need higher limits.",
"retryAfter": 42.0
}
The retryAfter field indicates seconds until capacity becomes available.
Handling Rate Limits
- Check for HTTP 429 status code
- Read
retryAfterfrom the response body - Wait the specified duration before retrying
- Implement exponential backoff if retries continue to fail
async function makeRequestWithRetry(url, options, maxRetries = 3) {
for (let attempt = 0; attempt < maxRetries; attempt++) {
const response = await fetch(url, options);
if (response.status === 429) {
const { retryAfter } = await response.json();
const delay = (retryAfter || Math.pow(2, attempt)) * 1000;
await new Promise(resolve => setTimeout(resolve, delay));
continue;
}
return response;
}
throw new Error('Max retries exceeded');
}
Key Behaviors
Sliding vs fixed windows: The per-minute limit uses a sliding window divided into 10-second segments, providing smooth limiting. Per-hour and per-day limits use fixed windows that reset at clock boundaries (start of hour, midnight UTC).
No queuing: Requests exceeding the limit are immediately rejected. Debitura does not queue requests waiting for capacity.
Unauthenticated requests: Requests without a valid API key are tracked under a shared fallback partition and subject to the same limits.
Requesting Higher Limits
If your integration requires higher throughput, contact contact@debitura.com with:
- Your use case and expected request volume
- Which API and endpoints you're calling
- Whether you need burst capacity or sustained throughput