HomeGuidesRecipesAPI ReferenceChangelog
GuidesAPI ReferenceCustomer Help CenterLog In

Rate Limiting

While Xola can automatically scale its resources to meet the demands of incoming traffic, it often has a cost in terms of money and speed. Scaling traffic costs money, and a higher load on our systems often affects other system users. The main reason to throttle requests is to protect our server resources. There are few situations in which API throttling may kick in.

  1. Some developers make haphazard API requests with little consideration for performance effects. They may perform an excessive number of API calls, using numerous server resources without doing anything significant.
  2. Integrations accidentally getting into infinity loops in production environments.
  3. Malicious bots attempting to scrape data.


The rate limits are calculated based on user and seller information available in the API call. We follow the below comparison order:

  1. User ID and Seller ID (if present)
  2. If Seller ID is not present, then only User ID is used.
  3. If both are not present, then we block the entire IP.

We go through the above combinations, choose the most applicable one, and block the combination of that API call.



900 requests in an 30 minute window (averages out to 2 requests per second).

The header and the response of each API call looks like below

HTTP/1.1 429 Too Many Requests
X-RateLimit-Limit: 900
X-RateLimit-Remaining: 0
X-RateLimit-Reset: 1612197197
Retry-After: 296
  "message":"Too many requests, please try again later.",
  "rateLimit": {
    "limit": 900,
    "current": 905,
    "remaining": 0,
  • resetTime specifies the timestamp after which you may re-try
  • retryInSeconds specifies the time to wait before re-trying


Post Limit Action

After someone hits the limit, a HTTP 429 response will be returned with a message explaining that they have hit the limit and when the block will be lifted.


  • Always make API calls using a registered app/integration's API key


  • Do not use the seller API key
  • Do not use your developer API key