Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.qonto.com/llms.txt

Use this file to discover all available pages before exploring further.

What are rate limits?

API rate limits are restrictions set on how many times an API can be called within a specific period of time. They are commonly used to:
  • Protect the API from overuse or abuse (such as from malicious actors or poorly written code)
  • Ensure fair usage among all users
  • Maintain performance and stability of the service

How to handle them at Qonto?

The frequency of your requests should respect the following rate limitations:
  • 1 000 requests / 10 seconds
  • 10 000 requests / 10 minutes
If you don’t respect those rate limitations, you will get a 429 Too Many Requests error.Additionally, we will throttle if there are more than 200 requests with status 401 within 1 hour.Rate limitations are applied per IP address.
  • You need to set up your Sandbox environment
  • Play with dummy data by making API calls using your Sandbox base URLs
  • Check if the API responses are the expected ones
Here is a thorough explanation on how to set up and use the Sandbox environment
If you need to test a sensitive action in the Sandbox environment, follow this guide.

Understand the Limits

  • 1,000 requests per 10 seconds & 10,000 requests per 10 minutes
  • Max. 200 requests with status 401 per hour
  • Limits are enforced per IP address
  • Exceeding limits returns a 429 Too Many Requests error
  • Frequent 401 responses may lead to throttling

What to Expect from Qonto

  • Qonto uses standard HTTP status codes:
    • 2xx: Success
    • 4xx: Client errors (e.g., invalid parameters, unauthorized)
    • 5xx: Server errors (rare)
  • Error response format: Follows the JSON:API error object. Example: 
    {
  "errors": [
    {
      "code": "not_in_list",
      "detail": "status must be one of: pending, approved, declined",
      "source": {
        "parameter": "status"
      }
    }
  ]
}
  • The error object includes:
    • code: Machine-readable error code (e.g., not_in_list)
    • detail: Human-readable explanation
    • source.pointer/source.parameter: Pinpoints the problematic part of your request

Best Practices for Handling Errors and Retries

Handle 429 Errors Gracefully

  • Do not retry immediately: When you receive a 429, don’t immediately retry. Instead, implement exponential backoff (increase the wait time between retries).
    Example: Wait 1s, then 2s, then 4s, etc.
  • Check for Retry-After header: If the API provides a Retry-After header, always respect it before retrying.

Proactively Monitor Your Request Rate

  • Track your own usage: Keep a count of requests sent in the last 10 seconds and last 10 minutes per IP.
  • Throttle on the client side: If you’re approaching the limit, slow down or queue requests before hitting the server.

Handle 401 Errors Carefully

  • Investigate authentication issues: 401 errors mean unauthorized. Don’t blindly retry. Instead, check your credentials or token validity.
  • Stop after repeated 401s: If you get several 401s in a row, stop and investigate to avoid hitting the 200/hour limit and getting throttled.

Parse Error Responses Properly

  • Always read the code and detail fields in the error response to understand the problem.
  • Use source pointers/parameters to locate exactly what caused the error in your request.

Log and Alert

  • Log all rate limit and auth errors: This helps in debugging and in tuning your retry logic.
  • Set up alerts for sudden spikes in 401 or 429 errors.

Design Resilient Retry Logic

  • Limit total number of retries: Don’t retry forever. Set a maximum retry limit per request.
  • Randomize retry intervals: To avoid “thundering herd” problems, add randomness (jitter) to your retry intervals.
Need to report a bug, request a new feature, or didn’t find your answer? Click here.