Rate limits

API token limits

Type	Limit
Client API per user/account token	1200/5 minutes
Client API per IP	200/second
GraphQL	Varies by query cost. Max 320/5 min
User API token quota	50
Account API token quota	500

Note

The global rate limit for the Cloudflare API is 1,200 requests per five minute period per user, and applies cumulatively regardless of whether the request is made via the dashboard, API key, or API token.

If you exceed this limit, all API calls for the next five minutes will be blocked, receiving a HTTP 429 - Too Many Requests response.

Some specific API calls have their own limits and are documented separately, such as the following:

• Cache Purge APIs
• GraphQL APIs
• Rulesets APIs
• Lists API
• Gateway Lists API

Enterprise customers can also contact Cloudflare Support to raise the Client API per user, GraphQL, or API token limits to a higher value.

Rate limiting headers

The following headers are returned when calling REST APIs:

• x-ratelimit-limit: The total number of requests a caller can make.
• x-ratelimit-remaining: The number of remaining requests before the rate limit takes effect.
• retry-after: The number of seconds, rounded up, until more capacity is available.
• x-ratelimit-reset: The RFC 1123 formatted date when more capacity is available.

Cloudflare's SDKs will also automatically work with the headers and back off in response to rate limits.