Rate Limits
Learn about API rate limits.
The Lithic API enforces rate limiting on all endpoints with the exception of card embeds. Traffic that breach our limits will receive a 429 status code and will not be processed.
We group endpoints by resource (table provided below), and rate limits will be applied across endpoints belonging to a particular resource. We enforce rate limits separately for each HTTP method. For example, if you make a call to GET /cards and GET /cards/{uuid} within the same second, both calls will contribute to your consumed GET /cards requests per second (RPS) because they both belong to the cards resource and have the same HTTP method. However, a call to GET /cards and POST /cards will be evaluated separately because they are different HTTP methods even though they belong to the same resource. Similarly, PATCH /cards and POST /cards will be evaluated separately because they are different HTTP methods (even though they are both write operations).
In Production, the default rate limit for read operations is 30 RPS and for write operations is 5 RPS. In Sandbox, the default rate limit for read operations is 15 RPS and for write operations is 1 RPS.
The exceptions to these defaults are the cards resource with 15 RPS and 2 RPS for write operations in Production and Sandbox, respectively and the transfers resource with 5 RPS and 2 RPS for write operations in Production and Sandbox, respectively.
Account holder creation via the KYC advanced workflow may be subject to lower rate limits due to third-party vendors.
We will always include the response header x-requests-remaining which indicates how many RPS you have left in the given second. Should you be rate limited, you will also see the response header retry-after: "1" indicating the need to wait one second before retrying requests. Note that the Lithic SDKs natively support retries when the retry-after header is present.
Lithic reserves the right to temporarily tighten these limits during high load or service interruptions. If higher RPS is needed for specific one-off operations (e.g. migrations), please contact[email protected]
Resource Groupings with Defaults
Resource | Endpoints | Default Rate Limit Production | Default Rate Limit Sandbox |
|---|---|---|---|
accounts | /accounts* | 30 RPS read | 15 RPS read |
account_holders | /account_holders* | 30 RPS read | 15 RPS read |
auth_rules | /auth_rules* | 30 RPS read | 15 RPS read |
auth_stream | /auth_stream* | 30 RPS read | 15 RPS read |
cards | /cards* (excluding search by pan) | 30 RPS read | 15 RPS read |
card_programs | /card_programs* | 30 RPS read | 15 RPS read |
funding_sources | /funding_sources* | 30 RPS read | 15 RPS read |
responder_endpoints | /responder_endpoints* | 30 RPS read | 15 RPS read |
transactions | /transactions* | 30 RPS read | 15 RPS read |
external_bank_accounts | /external_bank_accounts* | 30 RPS read | 15 RPS read |
tokenization_decisioning | /tokenization_decisioning* | 30 RPS read | 15 RPS read |
tokenizations | /tokenizations* | 30 RPS read | 15 RPS read |
disputes | /disputes* | 30 RPS read | 15 RPS read |
balances | /balances | 30 RPS read | 15 RPS read |
card_product | /card_product* | 30 RPS read | 15 RPS read |
financial_accounts | /financial_accounts* | 30 RPS read | 15 RPS read |
financial_transactions | /financial_accounts/{uuid}/financial_transactions /cards/{uuid}/financial_transactions | 30 RPS read | 15 RPS read |
payments | /payments* | 30 RPS read | 15 RPS read |
transfers | /transfers* | 30 RPS read | 15 RPS read |
reports | /reports* | 30 RPS read | 15 RPS read |
statements | /financial_accounts/{uuid}/statements* | 30 RPS read | 15 RPS read |
events | /events* | 30 RPS read | 15 RPS read |
simulations (sandbox only) | /three_ds_authentication/simulate | N/A | 15 RPS read |
Changelog
- May 20, 2024 - Enforcement begins
- May 13, 2024 - Initial public documentation released
Updated about 14 hours ago