Global Rate Limits
Global rate limits are applied inclusive of all API calls made by an app over the 1-hour sliding window, regardless of the particular endpoint. The limits are applied independently from each other; authenticated calls are not counted against the rate limit for unauthenticated calls and vice-versa.
|Authenticated Calls||5,000 / hour per token|
|Unauthenticated Calls||5,000 / hour per application|
We recommend that you use an Oauth token for the authenticated user for each endpoint, even in cases where it's not required, since the rate limit for authenticated calls scales as you grow the amount of people using your app.
Information regarding the global rate limits is included in the HTTP header on the response to each of your calls, which enables your app to determine its current status with respect to these rate limits. The following fields are provided in the header of each response and their values are related to the type of call that was made (authenticated or unauthenticated):
X-Ratelimit-Remaining: the remaining number of calls available to your app within the 1-hour window
X-Ratelimit-Limit: the total number of calls allowed within the 1-hour window
Endpoint-Specific Rate Limits
Certain POST endpoints have rate limits that are applied on an endpoint basis. Any calls made to these endpoints by your OAuth Client are also counted towards the global rate limits noted above. The rate limits for these endpoints are dependent on whether your OAuth Client is configured to issue signed requests. To enable signed requests, your app must be configured to both disable implicit OAuth and enforce signed requests. Please refer to the Secure API Requests documentation for more information on how to sign your API calls.
|Endpoint||Unsigned Calls (per token)||Signed Calls (per token)|
|POST /media/media-id/likes||30 / hour||100 / hour|
|POST /media/media-id/comments||15 / hour||60 / hour|
|POST /users/user-id/relationships||20 / hour||60 / hour|
If your app exceeds any of these rate limits, you will receive a response with an HTTP response code of 429 (Too Many Requests). The body of the response will consist of the following fields:
|error_message||The maximum number of requests per hour has been exceeded.|
You may also receive responses with an HTTP response code of 400 (Bad Request) if we detect spammy behavior by a person using your app. These errors are unrelated to rate limiting.