Default limit
The global limit is 200 requests per minute per client IP across all/v1 endpoints.
The token exchange endpoint (POST /v1/auth/exchange) has an additional 10 requests per minute per token. Cache the resulting JWT. Do not exchange on every call.
Response headers
Every response from/v1 includes the standard rate-limit headers so you can monitor your usage:
| Header | Meaning |
|---|---|
RateLimit-Limit | The total number of requests allowed in the current window |
RateLimit-Remaining | The number of requests left in the current window |
RateLimit-Reset | Seconds until the window resets |
Handling 429 Too Many Requests
When you hit the limit, the API returns 429 Too Many Requests:
Retry-After header tells you how many seconds to wait before retrying. Use exponential backoff with jitter and always respect Retry-After.
Tips
- Cache JWTs. If you use the exchange flow, store the JWT for its full 15-minute lifetime instead of exchanging on every request.
- Batch where possible. If you need many secrets, fetch them in one
GET /secretscall rather than one call per key. - Use the SDK. The Enkryptify SDK caches secrets locally and handles JWT exchange automatically.
- Contact us for higher limits. If you have a legitimate use case that exceeds these limits, reach out.