Rate Limits

Learn about API rate limits.

The Lithic API enforces rate limiting on all endpoints with the exception of card embeds. Traffic that breach our limits will receive a 429 status code and will not be processed.

We group endpoints by resource (table provided below), and rate limits will be applied across endpoints belonging to a particular resource. We enforce rate limits separately for each HTTP method. For example, if you make a call to GET /cards and GET /cards/{uuid} within the same second, both calls will contribute to your consumed GET /cards requests per second (RPS) because they both belong to the cards resource and have the same HTTP method. However, a call to GET /cards and POST /cards will be evaluated separately because they are different HTTP methods even though they belong to the same resource. Similarly, PATCH /cards and POST /cards will be evaluated separately because they are different HTTP methods (even though they are both write operations).

In Production, the default rate limit for read operations is 30 RPS and for write operations is 5 RPS. In Sandbox, the default rate limit for read operations is 15 RPS and for write operations is 1 RPS.

The exceptions to these defaults are the cards resource with 15 RPS and 2 RPS for write operations in Production and Sandbox, respectively and the transfers resource with 5 RPS and 2 RPS for write operations in Production and Sandbox, respectively.

Account holder creation via the KYC advanced workflow may be subject to lower rate limits due to third-party vendors.

We will always include the response header x-requests-remaining which indicates how many RPS you have left in the given second. Should you be rate limited, you will also see the response header retry-after: "1" indicating the need to wait one second before retrying requests. Note that the Lithic SDKs natively support retries when the retry-after header is present.

Lithic reserves the right to temporarily tighten these limits during high load or service interruptions. If higher RPS is needed for specific one-off operations (e.g. migrations), please contact [email protected]

Resource Groupings with Defaults

ResourceEndpointsDefault Rate Limit ProductionDefault Rate Limit Sandbox
accounts/accounts*30 RPS read
5 RPS write
15 RPS read
1 RPS write
account_holders/account_holders*30 RPS read
5 RPS write
15 RPS read
1 RPS write
auth_rules/auth_rules*30 RPS read
5 RPS write
15 RPS read
1 RPS write
auth_stream/auth_stream*30 RPS read
5 RPS write
15 RPS read
1 RPS write
cards/cards* (excluding search by pan)30 RPS read
15 RPS write
15 RPS read
2 RPS write
card_programs/card_programs*30 RPS read
5 RPS write
15 RPS read
1 RPS write
funding_sources/funding_sources*30 RPS read
5 RPS write
15 RPS read
1 RPS write
responder_endpoints/responder_endpoints*30 RPS read
5 RPS write
15 RPS read
1 RPS write
transactions/transactions*30 RPS read
5 RPS write
15 RPS read
1 RPS write
external_bank_accounts/external_bank_accounts*30 RPS read
5 RPS write
15 RPS read
1 RPS write
tokenization_decisioning/tokenization_decisioning*30 RPS read
5 RPS write
15 RPS read
1 RPS write
tokenizations/tokenizations*30 RPS read
5 RPS write
15 RPS read
1 RPS write
disputes/disputes*30 RPS read
5 RPS write
15 RPS read
1 RPS write
balances/balances
/financial_accounts/{uuid}/balances
/aggregate_balances
30 RPS read
5 RPS write
15 RPS read
1 RPS write
card_product/card_product*30 RPS read
5 RPS write
15 RPS read
1 RPS write
financial_accounts/financial_accounts*30 RPS read
5 RPS write
15 RPS read
1 RPS write
financial_transactions/financial_accounts/{uuid}/financial_transactions

/cards/{uuid}/financial_transactions
30 RPS read
5 RPS write
15 RPS read
1 RPS write
payments/payments*30 RPS read
5 RPS write
15 RPS read
1 RPS write
transfers/transfers*
/transfer_configuration_codes
30 RPS read
5 RPS write
15 RPS read
2 RPS write
reports/reports*30 RPS read
5 RPS write
15 RPS read
1 RPS write
statements/financial_accounts/{uuid}/statements*30 RPS read
5 RPS write
15 RPS read
1 RPS write
events/events*
/event_subscriptions*
30 RPS read
5 RPS write
15 RPS read
1 RPS write
simulations/three_ds_authentication/simulate
/simulate*
30 RPS read
5 RPS write
15 RPS read
1 RPS write

Changelog

  • May 20, 2024 - Enforcement begins
  • May 13, 2024 - Initial public documentation released