429 Too Many Requests

What 429 Too Many Requests means

429 Too Many Requests is the rate-limit response. The client has exceeded the allowed request rate and must back off. The response should include a Retry-After header (seconds to wait, or an HTTP date) so the client can schedule the retry. Many APIs also include rate-limit metadata: X-RateLimit-Limit (requests per window), X-RateLimit-Remaining (requests left), X-RateLimit-Reset (when the window resets).

When servers should return it: Return 429 when a client exceeds rate-limit thresholds. Always include Retry-After. Rate-limit per-IP, per-API-key, per-user, or per-account depending on threat model.

Common causes

• Too many requests in a short window
• Burst exceeded the per-second cap
• Daily quota exhausted
• Concurrent connection limit hit
• Bot-like traffic patterns triggered defensive rate limit

How to fix 429 Too Many Requests

• Read Retry-After and back off accordingly
• Implement exponential backoff with jitter
• Cache responses to reduce request volume
• For batch operations, use bulk endpoints instead of N individual requests
• For client-side, use token-bucket rate limiting before sending
• Upgrade to a higher tier if the limit is hit consistently

Example response

curl -i https://api.example.com/data

HTTP/2 429
retry-after: 60
x-ratelimit-limit: 100
x-ratelimit-remaining: 0
x-ratelimit-reset: 1714914000
content-type: application/json
{"error":"rate limit exceeded","retry_after_seconds":60}

Related status codes

More references

For a one-page reference of all HTTP status codes, see the HTTP cheat sheet. For testing API responses, try the API Tester tool. For inspecting responses on the command line, the curl cheat sheet covers the most common flags.