Rate Limits
A rate limit is a broker-imposed cap on how many API requests you may send within a time window, enforced to protect their infrastructure, and exceeding it triggers throttling, 429 errors or temporary bans.
Quick answer: A rate limit is a broker-imposed cap on how many API requests you may send within a time window, enforced to protect their infrastructure, and exceeding it triggers throttling, 429 errors or temporary bans.
In simple words
A rate limit is a speed limit on your API calls. The broker allows only so many requests per second or per minute, and if you go faster they start rejecting your requests or block you for a while. Your code has to pace itself, because tripping the limit at the wrong moment can mean a missed order.
Purpose
Rate limits exist so one client cannot overwhelm the broker's servers and degrade service for everyone; respecting them keeps your access stable and your critical order requests from being throttled when you need them.
Professional explanation
How rate limits are expressed
Brokers publish limits in several shapes, and you must design to the actual one. Common forms are requests-per-second, requests-per-minute, and separate quotas per endpoint category — order placement often has a tighter limit than data reads. Some APIs also cap concurrent connections or the number of instruments per WebSocket. A key subtlety is the enforcement window: a limit of 10 requests per second might be a rolling window (any 1-second span) or a fixed window (each calendar second reset), and bursting behaves very differently under each. Read the documentation for both the number and the window, because guessing leads to intermittent, hard-to-reproduce 429s.
The 429 response and Retry-After
When you exceed a limit, a well-behaved API returns HTTP 429 Too Many Requests, often with a Retry-After header telling you how long to wait. The correct response is to stop, honour the wait, and only then retry — not to immediately re-send, which digs the hole deeper and can escalate to a temporary ban. Because 429 is a transient condition, it belongs in your retry-with-backoff path, but distinctly from 5xx: a 429 specifically means slow down, whereas a 500 means the server erred. Ignoring Retry-After and retrying aggressively is a fast route to being blocked.
Client-side throttling: staying under the ceiling
The robust approach is to never hit the limit in the first place by throttling yourself. A common mechanism is a token-bucket or leaky-bucket rate limiter: the bucket refills at the allowed rate, each request consumes a token, and if the bucket is empty the request waits. This smooths bursts into a steady stream that stays below the ceiling. Placing this limiter inside your shared API client means every part of the system automatically respects the budget, and you tune it to a safe margin below the published limit rather than riding the exact edge, since clocks and windows never align perfectly.
Batching and reducing request count
Often the best way to respect a limit is to need fewer requests. Many broker APIs offer batch or bulk endpoints — fetching quotes for many instruments in one call, or querying the full order book rather than each order individually. Subscribing to a WebSocket instead of polling REST for prices collapses thousands of would-be requests into one connection. Caching data that changes slowly — the instrument master, margins — avoids re-fetching it in a loop. Every request you design out of the system is a request that can never trip the limit.
Prioritising critical requests
Not all requests are equal: placing or cancelling an order matters far more than refreshing a dashboard. Under a shared budget, low-priority polling can starve high-priority order actions right when the market moves. Mature systems therefore reserve headroom for order flow — for instance, a separate limiter or a priority queue that lets a cancel jump ahead of a routine quote refresh. The design goal is that you never fail to cancel a runaway position because a background task consumed the quota.
Consequences of ignoring limits
Persistently breaching rate limits escalates. First requests get 429s; then the broker may impose a temporary ban of minutes to hours; repeated abuse can lead to key suspension. During a ban your system is effectively blind and unable to act — a dangerous state if you hold open positions. Because the penalty lands precisely when you are behaving badly, and markets do not pause for your timeout, treating rate limits as a hard engineering constraint rather than a soft suggestion is a risk-management issue, not merely a courtesy to the broker.
Ways to stay within rate limits
| Technique | What it does | Best for |
|---|---|---|
| Client-side throttle | Paces requests below the cap | All request types |
| Batching | Many items per request | Bulk quotes / status |
| WebSocket streaming | One connection vs polling | Live market data |
| Caching | Avoids re-fetching stable data | Instrument master, margins |
| Priority reservation | Protects order requests | Critical order flow |
Practical example
Illustrative example (Indian market)
Suppose a broker allows 3 order requests per second and 10 data requests per second. Your system tracks 200 instruments. Instead of polling each with its own request (which would need far more than 10/second), it subscribes to one WebSocket for prices and uses a batch quote endpoint for snapshots, staying at about 2 data requests per second. A token-bucket limiter in the API client caps order placement at 2 per second — deliberately below 3 — reserving margin. When a burst of signals arrives, orders queue through the limiter rather than firing all at once and earning a 429. The numbers are illustrative.
Indian broker APIs commonly separate quotas — for example a modest orders-per-second cap alongside a higher data-request cap — and enforce them per API key. If you run several strategies on one key they share the same budget, so a chatty research script can throttle your live order flow. Isolating critical execution behind its own reserved budget prevents that collision.
Advantages
- Respecting limits keeps your access stable and avoids disruptive bans
- Client-side throttling makes request load predictable and smooth
- Batching and streaming cut request counts, improving both limits and latency
- Reserving budget for orders ensures critical actions are not starved by background tasks
Limitations
- Limits constrain how frequently you can poll or act, which some strategies must design around
- Windows and enforcement differ per broker and endpoint, so tuning is broker-specific
- A shared key means one component's requests can throttle another's
- Under a ban your system is blind and cannot act, which is dangerous with open positions
- Published limits can change, silently breaking a system tuned to the old ceiling
Common mistakes
- Retrying immediately after a 429 instead of honouring Retry-After and backing off
- Polling REST endpoints in a tight loop instead of using a WebSocket or batch call
- Riding the exact published limit with no safety margin for clock and window drift
- Letting a background or research task share the order-flow budget and starve real orders
- Ignoring per-endpoint limits and assuming one global quota covers everything
- Not caching slow-changing data like the instrument master, re-fetching it every cycle
Professional usage
Professional clients embed a rate limiter (token or leaky bucket) at the transport layer so every request across the system is automatically paced below the published cap. They separate budgets by priority, reserving headroom for order placement and cancellation, and they prefer batch endpoints and streaming over polling to minimise request count. 429s and Retry-After headers feed the backoff logic, and limit breaches are monitored as an early warning that something is misbehaving before a ban lands.
Key takeaways
- A rate limit caps requests per time window; exceeding it yields 429s, throttling or bans
- Throttle yourself client-side with a token/leaky bucket, tuned below the published ceiling
- Reduce requests by batching, streaming and caching instead of polling in loops
- Reserve budget for critical order flow, and honour Retry-After rather than hammering after a 429
Frequently asked questions
What is an API rate limit?
What does a 429 error mean?
How do I avoid hitting rate limits?
What is a token-bucket rate limiter?
Do order and data requests share the same limit?
What happens if I keep exceeding the limit?
Should I retry immediately after a 429?
How does batching help with rate limits?
Can polling for prices trip the rate limit?
Why reserve budget for order requests?
Are rate limits the same across brokers?
Do multiple strategies on one key share a limit?
Voice search & related questions
Natural-language questions people ask about Rate Limits.
What is a rate limit on a trading API?
What should I do when I get a 429 error?
How do I stop hitting the rate limit?
Why not just poll prices as fast as possible?
Can hitting rate limits get me banned?
Do my orders and data share the same limit?
Sources & references
Last reviewed 11 July 2026. Educational content only — not investment advice. Markets and rules change; verify current conventions with SEBI, NSE/BSE and your broker.