Rate limiting

How we ensure stability for all API consumers

Limits

When developing an integration with Spendesk please respect the following rate limits:

  • 50 requests per minute for each Spendesk company (entity) - both for customers calling APIs and for partners calling APIs on behalf of connected customers;
  • 250 requests per minute for OAuth2 partners - the more companies are connected to a partner, the more care needs to be taken to stay within this limit;
  • 5 concurrent requests at any given time for any API consumer.

HTTP Headers

Each API response contains the following headers, which mention applicable rate limits and remaining values:

x-ratelimit-limit		50
x-ratelimit-remaining		49
x-ratelimit-reset		60

When one of the limits is reached, all subsequent API requests will return error 429 until the x-ratelimit-reset interval (in seconds) passes.

Guidance

🚧

Partners are required to address rate limiting before going live

Spendesk will ask partners to explain how they intend to keep the frequency of API calls within limits.

When building an integration that will be used by more than a couple of companies, please design a mechanism that will prevent reaching these rate limits. Typical mistakes include triggering the flow for all connected companies each day at 6am, each Monday at 6am or each 1st of the month at 6am etc. Introducing randomness in the time of API calls, respecting off-peak hours (9pm to 6am on weekdays) and sleep intervals between subsequent pages of multi-page responses are highly recommended.