Skip to main content
The system does not apply any rate limits for server-to-server API calls. Instead, the system aims to grow with the business to handle the throughput needs required. That said, certain rate limits are applied on browser/app-to-server API calls in order to prevent enumeration attacks, preventing a malicious party from enumerating credit, debit, or scheme cards to check their validity.

Enumeration prevention

In order to prevent enumeration attacks, the following limits are applied.
Rate limitThe current rate limit for these endpoints is set to approximately 50 requests per minute across all endpoints, per token. This value may be adjusted downward in time to adjust for enumeration attacks.Generating a new checkout session ID or JWT token for every checkout is recommended to prevent a user from being rate-limited.