Skip to main content

How rate limiting works

The Mandate API enforces per-agent rate limits to protect service stability. Limits are tracked per runtime key. When you exceed the limit, the API returns a 429 Too Many Requests response with a Retry-After header.

Default limits

Endpoint CategoryRate LimitWindow
Validation (/validate, /validate/raw)60 requestsper minute
Status polling (/intents/{id}/status)120 requestsper minute
Event posting (/intents/{id}/events)30 requestsper minute
Registration (/agents/register)10 requestsper minute
Dashboard API120 requestsper minute
These limits apply per runtime key. Different agents with different keys have independent rate limits.

Response headers

Every API response includes rate limit headers:
HeaderDescription
X-RateLimit-LimitMaximum requests allowed in the current window
X-RateLimit-RemainingRequests remaining in the current window
Retry-AfterSeconds to wait before retrying (only on 429 responses)

429 response format

{
  "error": "Too many requests. Retry after 12 seconds."
}
The Retry-After header contains the number of seconds to wait.

Retry strategy

Use exponential backoff when you receive a 429 response: 
async function validateWithRetry(client, payload, maxRetries = 3) {
  for (let attempt = 0; attempt < maxRetries; attempt++) {
    try {
      return await client.validate(payload);
    } catch (err) {
      if (err.statusCode === 429 && attempt < maxRetries - 1) {
        const delay = Math.pow(2, attempt) * 1000; // 1s, 2s, 4s
        await new Promise((r) => setTimeout(r, delay));
        continue;
      }
      throw err;
    }
  }
}
Do not poll /intents/{id}/status in a tight loop. The SDK’s waitForApproval() and waitForConfirmation() methods use appropriate intervals (5s and 3s respectively) to stay within rate limits.
If your agent needs higher limits for production workloads, contact the Mandate team. Custom rate limits are available for high-volume deployments.

Next Steps

Error Codes

Full HTTP status code reference and error response format.

API Overview

Base URL, authentication, and endpoint summary.