Rate Limiting
Last updated
Last updated
To protect OpenAlgo from abuse and ensure fair usage across users, rate limits are enforced at both login and API levels. These limits are configurable via the .env
file and apply globally per IP address or API key.
OpenAlgo applies two login-specific rate limits:
Per Minute
5 per minute
Allows a maximum of 5 login attempts per minute.
Per Hour
25 per hour
Allows a maximum of 25 login attempts per hour.
These limits help prevent brute-force login attempts and secure user accounts.
General API calls are limited globally as follows:
Per Second
10 per second
Allows a maximum of 10 API requests per second.
This applies to all API endpoints other than login, including order placement, account info, and market data APIs.
You can adjust the rate limits by editing the following variables in your .env
or .env.sample
file:
These limits follow and support formats like:
10 per second
100 per minute
1000 per day
If a client exceeds any configured rate limit:
The server will respond with HTTP status 429 Too Many Requests
.
A Retry-After
header will be sent with the time to wait before retrying.
Further requests will be blocked until the rate window resets.
Avoid retrying failed login attempts rapidly.
Spread out API requests using sleep/delay logic or a rate-limiter in your client code.
Use queues or batching when dealing with large volumes of data or orders.