Skip to main content
To ensure fair use and platform stability for all merchants, the Merchant API enforces rate and concurrency limits per API user. Exceeding these limits will result in specific HTTP-level error responses with headers to help you manage your request flow.

Limits

LimitValue
Rate limit10 requests/second
Burst capacity60 requests
Concurrency limit5 simultaneous requests
Maximum API keys per merchant6
The rate limiter uses a token bucket algorithm keyed by API user ID. This means limits are enforced per API credential, not per IP address. Each API user has an independent token bucket, so if you need to separate concerns (e.g., rating vs. order submission), consider using separate API keys to avoid one workflow’s burst activity affecting another.
Each merchant is limited to 6 active API users. Attempting to create or activate additional API keys beyond this limit will result in an error: “You’ve reached your limit of 6 API keys. Please delete any unused API keys and try again.”

Response Codes

CodeMeaning
409 ConflictThe concurrency limit has been reached. Too many simultaneous requests are in flight for this API user.
429 Too Many RequestsThe rate limit has been exceeded. Wait for the duration indicated in the Retry-After header before retrying.

Response Headers

These headers are included on every response, including rate-limited responses, to help you track your current usage.

Rate Limit Headers

HeaderDescription
RateLimit-LimitThe maximum number of requests you can make per minute.
RateLimit-RemainingThe approximate number of requests remaining before being limited.
Retry-AfterThe number of seconds to wait before retrying. Only present when a 429 response is returned.

Concurrency Headers

HeaderDescription
X-Concurrency-LimitThe maximum number of concurrent requests allowed for this API user.
X-Concurrency-CurrentThe number of requests currently in flight for this API user.

Handling Rate Limit Errors

When you receive a 429 Too Many Requests response, inspect the Retry-After header and wait at least that many seconds before retrying the request. When you receive a 409 Conflict response, reduce the number of in-flight requests. Use the X-Concurrency-Current and X-Concurrency-Limit headers to gauge how close you are to the limit.
If your integration processes high volumes of requests (e.g., bulk order imports or rating calls), consider using separate API keys for different workflows. Since limits are tracked per API user, this prevents spikes in one workflow from affecting another.