Rate limiting practices

In order to protect you and our other customers, we employ rate limiting across our APIs. You can make up to 10,000 requests every five minutes per user as determined by IP address. Learn about rate limiting.

Rolling window

The five-minute window for rate limiting is a rolling window. If you receive an error for exceeding the limit, you don't have to wait for five minutes from the time the error was triggered. Instead, you only need to wait until that five-minute window is over.

For example, if you send 7,500 requests within three minutes and you receive an error, you only need to wait two more minutes before retrying.

Exceeding the limit

If your IP address exceeds this limit—until the five-minute window has elapsed—we respond to requests by:

sending an HTTP 429 status code response (learn about HTTP 429 status), and
adding an X-RateLimit-Limit HTTP response header with the current limit (7,500).

Throttling

This limit should be sufficient for any nominal operation, but it may cause issues during backfilling. We expect you to throttle your API requests to stay within this limit. If this isn't possible, submit a ticket via our Help Desk to examine alternative options.

Lower rate limits

For security reasons, some API requests have lower rate limits than the standard 10,000 per five minutes. But the error message and our recommendation for handling exceeding rate limiting is the same.

FHIR® is a registered trademark of Health Level Seven International (HL7) and is used with the permission of HL7. Use of this trademark does not constitute an endorsement of products/services by HL7®.