Skip to main content

Rate limits

API requests are rate limited to ensure fair usage and platform stability. Limits are applied per user.

Request rate limits

Endpoint TypeLimit
GET requests250 requests/minute
POST and DELETE requests125 requests/minute
/scans/{id}/output60 requests/minute
Pentest Robots have no rate limit when stopping scans via the API.

Rate limit headers

You can inspect your current rate limit status by checking the response headers on any request:
HeaderDescription
X-RateLimit-LimitMaximum requests allowed per minute
X-RateLimit-RemainingRequests remaining in current window
X-RateLimit-Limit: 250
X-RateLimit-Remaining: 245

When rate limited

When you exceed the rate limit, you’ll receive a 429 Too Many Requests response with additional headers:
HeaderDescription
X-RateLimit-ResetUnix timestamp when the limit resets
Retry-AfterSeconds to wait before retrying
Best Practice: Implement exponential backoff: 
import time
import requests

def api_request_with_retry(url, headers, max_retries=3):
    for attempt in range(max_retries):
        response = requests.get(url, headers=headers)

        if response.status_code == 429:
            retry_after = int(response.headers.get('Retry-After', 2 ** attempt))
            time.sleep(retry_after)
            continue

        return response

    raise Exception("Max retries exceeded")

Error response format

Error responses include a status code and message, with optional details: 
{
  "status": 400,
  "message": "No tool_id specified"
}
With additional details: 
{
  "status": 404,
  "message": "Invalid target_id",
  "details": "Target was not found"
}

Error codes

CodeMeaningCommon Causes
400Bad RequestMissing required parameters, invalid input format
401UnauthorizedMissing or invalid API key
403ForbiddenValid API key but insufficient permissions
404Not FoundResource doesn’t exist or you don’t have access
406Not AcceptableRequested format not supported (e.g., JSON output for raw-only tools)
409ConflictOperation conflicts with current state (e.g., deleting running scan)
422Unprocessable EntityValidation failed for the request body
429Too Many RequestsRate limit exceeded
500Internal Server ErrorServer-side issue; retry later

Common errors

Cause: Invalid or missing API keySolution: Verify your API key is correct and included in the Authorization header as Bearer YOUR_API_KEY
Cause: Your API key lacks permission for this actionSolutions:
  • Check your subscription plan includes the requested feature
  • Verify you have access to the workspace or resource
  • For target deletion: ensure your plan allows API target deletion
Cause: Resource doesn’t exist or you don’t have accessSolutions:
  • Verify the resource ID is correct
  • Check the resource belongs to your account or a workspace you have access to
  • For scans/targets: ensure they haven’t been deleted
Cause: Requested output format not supportedExample: Requesting JSON output for a tool that only provides raw outputSolution: Use a different output format or download the PDF report instead
Cause: Operation conflicts with current resource stateExamples:
  • Deleting a scan that is still running
  • Creating a workspace with a name that already exists
  • Deleting your current active workspace
Solution: Resolve the conflict (e.g., stop the scan first) before retrying
Cause: Rate limit exceededSolution: Wait for the duration specified in the Retry-After header before making more requests

Best practices

Always check the status field in error responses to determine the appropriate action.
  • Handle errors gracefully: Implement proper error handling for all API calls
  • Respect rate limits: Monitor X-RateLimit-Remaining and slow down before hitting limits
  • Use exponential backoff: When retrying failed requests, increase wait time between attempts
  • Log errors: Keep records of errors for debugging and monitoring