What is rate limiting?

Rate limiting controls how many requests a consumer can make to specific API endpoints within a defined time period. This helps prevent traffic spikes, protects the platform from abuse, and ensures consistent performance for all users.

How Hosted Capital applies rate limiting

Wayflyer Hosted Capital applies rate limits using a sliding window strategy. Instead of resetting counts at fixed intervals (e.g., every hour on the hour), the sliding window continuously measures request volume over a moving time period.

For example, if an endpoint allows 100 requests per hour, the system evaluates how many requests were made in the 60 minutes immediately preceding each new request. If fewer than 100 requests were made within that rolling window, the new request is allowed. If the total exceeds the limit, the request is rejected.

To help consumers monitor usage and avoid hitting these limits, every response from a rate-limited endpoint also includes the following headers:

• RateLimit-Limit: the maximum number of requests allowed within the sliding window.
• RateLimit-Remaining: how many requests remain available before the limit is reached.

In addition, when a consumer exceeds the limit for a given endpoint, the API responds with HTTP 429 Too Many Requests and the following header:

• Retry-After: the number of seconds the client must wait before attempting another request.

Best practices

• Check endpoint-specific limits: Rate limits vary per endpoint. Review the API documentation to understand the limits for each endpoint your integration uses.
• Implement client-side throttling: Use the documented limits to pace requests and prevent exceeding them. Spread requests over time and queue non-critical operations when necessary.
• Handle 429 responses gracefully: If you receive a 429 response, respect the Retry-After header and pause requests to the affected endpoint for the specified duration. Avoid immediate retries.