The Dualhook Platform API enforces per-API-key rate limits across four scopes: reads, writes, the dedicated reveal-secrets endpoint, and the health-refresh endpoint. Every authenticated response carries X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-Reset so your client can back off cleanly. Hitting a limit returns 429 rate_limited.
Scopes and limits
| Scope | Limit |
|---|---|
| Reads (GET) | 100 / minute |
| Writes (POST / PATCH / DELETE) | 30 / minute |
| Reveal secrets | 60 / hour |
| Health refresh | 10 / minute |
Limits are per API key. If you have multiple API keys (production + staging), each gets its own budget.
Headers on every authed response
X-RateLimit-Limit: 100
X-RateLimit-Remaining: 84
X-RateLimit-Reset: 1714400000
X-RateLimit-Reset is the Unix epoch seconds at which the budget refills.
When you exceed a scope, the response is 429 with body:
{
"error": {
"code": "rate_limited",
"message": "Too many requests for this scope; retry after the X-RateLimit-Reset timestamp.",
"type": "rate_limited"
}
}Raising limits
Limits are easily raised for production partners — talk to us. The defaults are sized for typical SaaS onboarding traffic patterns, not for backfills or migrations.