Rate Limits

How the Nashra API rate limits work, the response headers, and best practices for staying within limits.

Authenticated endpoints

Authenticated endpoints share a per-token rate limit. The default is 60 requests per minute per token, applied across all authenticated routes.

Every response includes headers describing your current state:

X-RateLimit-Limit: 60
X-RateLimit-Remaining: 53
X-RateLimit-Reset: 1620345678

Header	What it means
`X-RateLimit-Limit`	Maximum requests allowed in the window
`X-RateLimit-Remaining`	Requests left in the current window
`X-RateLimit-Reset`	Unix timestamp when the window resets

The public form-submit endpoints have stricter limits to prevent abuse. They're rate-limited per IP address:

Endpoint	Limit
`POST /api/v1/tenants/{slug}/subscribe`	5 requests / minute
`POST /api/v1/tenants/{slug}/magic-links/{identifier}`	5 requests / minute
`POST /subscribe/{identifier}` (form action URL)	10 requests / minute

If you're running a launch and seeing legitimate signups hit these limits, contact support — limits can be raised on request.

A 429 Too Many Requests response looks like this:

{
  "error": {
    "message": "API rate limit exceeded",
    "code": "RATE_LIMITED"
  },
  "retry_after": 30
}

The retry_after value tells you how many seconds to wait before retrying.

Cache — Store data locally instead of re-fetching the same information every time.
Paginate — Use per_page and page to fetch lists in chunks. Default is 15, max is 100.
Batch where possible — Use POST /subscribers/bulk to upsert up to 100 subscribers per request instead of making 100 individual calls.
Back off on 429 — Wait retry_after seconds. Use exponential backoff for repeated failures.
Use webhooks where possible — For event-driven flows (new subscriber, send delivered), webhooks beat polling.

If your integration legitimately requires more, contact us at support@nashra.ai. Include the token name and expected request volume.

Was this page helpful?

Last updated 3 weeks ago