Rate Limits

Summary

The API is rate-limited per client IP. There is a global default plus tighter per-endpoint limits on sensitive operations. Exceeding a limit returns 429 Too Many Requests.

Limits

Scope	Limit
Global default	`60 / minute` (configurable via `RATE_LIMIT`)
`POST /scans`, `POST /preflight`	`10 / minute`
`POST /auth/login`, `/auth/register`, `/auth/reset-password`, `/auth/2fa/*`	`5 / minute`
`POST /auth/google`, `/auth/refresh`, `/auth/verify-email`, `/auth/saml/acs`	`10 / minute`
`POST /auth/forgot-password`, `/auth/resend-verification`	`3 / minute`
Break-glass attempts	`10 / hour` per IP

Recommended client behavior

On 429, back off and retry with exponential backoff.
For scans, use the Idempotency-Key header so a retry doesn’t launch a duplicate.
Batch where possible rather than polling tightly; respect the per-endpoint limits above.

Examples

# Idempotent scan launch (safe to retry on 429)
curl -X POST "https://<your-host>/scans" \
  -H "X-API-Key: cspm_xxxxxxxxxxxxxxxx" \
  -H "Idempotency-Key: nightly-prod-2026-05-25" \
  -H "Content-Type: application/json" \
  -d '{"projects":["my-project"],"profile":"full"}'

Notes & limitations

Limits are enforced per client IP; behind a proxy, ensure the real client IP is forwarded.
The global limit is configurable by the operator via the RATE_LIMIT environment variable.

Rate Limits

Summary

Limits

Recommended client behavior

Examples

Notes & limitations

Related articles