Skip to main content

Overview

Rate limits protect the Zenstep API from abuse and ensure fair resource allocation. Limits are applied per-organisation and per-endpoint bucket.

Limits by endpoint

EndpointBucketLimitWindow
POST /api/v1/eventsevents300 requests60 seconds
GET /api/v1/flowsflows60 requests60 seconds
GET /api/v1/flows/[id]flows60 requests60 seconds
POST /api/v1/flows/[id]/completeflows60 requests60 seconds
GET/POST /api/v1/flows/[id]/checklist-progressflows60 requests60 seconds
POST /api/v1/steps/[id]/fingerprintfingerprint30 requests60 seconds
POST /api/v1/steps/[id]/healthhealth60 requests60 seconds
GET /api/v1/heartbeatheartbeat10 requests60 seconds
GET /api/v1/snippet-statusstatus10 requests60 seconds
The events bucket allows batch requests of up to 50 events each — so the effective throughput is up to 15,000 events per minute per organisation at the maximum batch size.

Rate limit headers

Every response includes rate limit headers:
HeaderDescription
X-RateLimit-LimitMaximum requests allowed in the window
X-RateLimit-RemainingRequests remaining in the current window
X-RateLimit-ResetUnix timestamp (seconds) when the window resets

Handling 429 responses

When you exceed the rate limit, the API returns:
Use the Retry-After header value (in seconds) to delay your next request:

Best practices

Batch events — the /api/v1/events endpoint accepts up to 50 events per request. Always batch events from your snippet rather than sending one request per event. Cache flow data — the /api/v1/flows response is stable between publishes. Cache it for the duration of a user session and only re-fetch on SPA navigation or after a configurable TTL (the Zenstep snippet caches for the page lifecycle by default). Backoff on 429 — implement exponential backoff for any integration that calls the API from a backend service.