Global limit
Every authenticated merchant gets a base of 1,000 requests per minute, shared across all/v1/* endpoints, enforced on a rolling 60-second window. The limit is per merchant (not per IP) — seats and servers behind a shared egress NAT all count against the same quota, but separate merchants never share quotas with each other.
Merchant rate-limit tiers
Merchants can be placed on a higher tier by Anton. The tier applies a multiplier to the base 1,000 rpm ceiling.| Tier | Multiplier | Effective ceiling |
|---|---|---|
| Default | 1× | 1,000 rpm |
| Growth | 2× | 2,000 rpm |
| Scale | 5× | 5,000 rpm |
| High-volume | 10× | 10,000 rpm |
| Enterprise | 20× | 20,000 rpm |
GET /v1/merchant — the response includes rate_limit_multiplier (1, 2, 5, 10, or 20) and the effective rate_limit_per_minute. Promotions take effect immediately on the next request; no rollout is required.
Endpoint-specific limits
Some endpoints are more expensive or more sensitive and carry a tighter ceiling:| Endpoint | Limit |
|---|---|
POST /v1/fx/quote | 30 / minute per merchant |
GET /v1/fx/rate | 30 / minute per merchant |
POST /v1/fx/exchange | 10 / minute per merchant |
POST /v1/webhooks/{id}/test | Reduced (sensitive operations ceiling) |
Headers on every response
| Header | Value |
|---|---|
X-RateLimit-Limit | Maximum requests permitted in the current window. |
X-RateLimit-Remaining | Requests remaining in the current window. |
X-RateLimit-Reset | Unix timestamp (seconds) when the current window resets. |
429 Too Many Requests with an additional header:
| Header | Value |
|---|---|
Retry-After | Seconds to wait before retrying. |
Handling 429
Treat429 as transient. Back off for at least the number of seconds in Retry-After before retrying. Use jittered exponential backoff when retrying many requests at once — retrying everything at the exact Retry-After moment creates a thundering herd that trips the limiter again.