API & MCP

API Rate Limits

Understand APVISO's API rate limits, how to monitor usage via response headers, and how to handle 429 responses.

Rate Limit Policy

All APVISO API endpoints are rate-limited to 120 requests per minute per API key. This applies to both the frontend-facing and programmatic APIs.

Rate Limit Headers

Every API response includes headers that help you track your usage:

  • X-RateLimit-Limit: 120 — the maximum requests allowed per window.
  • X-RateLimit-Remaining: 87 — requests remaining in the current window.
  • X-RateLimit-Reset: 1712764800 — Unix timestamp when the window resets.

Use these headers to implement proactive rate limiting in your client code.

Handling 429 Responses

When you exceed the rate limit, the API returns:

json
{
  "error": "rate_limit_exceeded",
  "message": "Too many requests. Please retry after the reset time.",
  "retryAfter": 45
}

The response includes:

  • HTTP status code 429 Too Many Requests.
  • A Retry-After header with the number of seconds to wait.
  • The same value in the response body's retryAfter field.

Recommended Retry Strategy

Implement exponential backoff with jitter:

typescript
async function apiCallWithRetry(url: string, options: RequestInit, maxRetries = 3) {
  for (let attempt = 0; attempt <= maxRetries; attempt++) {
    const response = await fetch(url, options);

    if (response.status !== 429) return response;

    const retryAfter = parseInt(response.headers.get("Retry-After") || "60");
    const jitter = Math.random() * 1000;
    await new Promise((r) => setTimeout(r, retryAfter * 1000 + jitter));
  }
  throw new Error("Max retries exceeded");
}

Tips for Staying Within Limits

  • Batch where possible — use list endpoints with filters instead of making individual requests for each resource.
  • Cache responses — targets, plans, and other slowly-changing data do not need to be fetched on every request.
  • Use the real-time stream — subscribe to the event stream for scan updates instead of polling the scan status endpoint.
  • Spread requests — if you need to make many calls, spread them evenly across the minute window rather than bursting.

Enterprise Rate Limits

Enterprise customers can request custom rate limits. Contact your account manager to discuss higher limits for your use case.

Monitoring

You can view your API usage statistics in Settings → API Keys. Each key shows request counts over the last 24 hours, 7 days, and 30 days.

Back to Knowledge Base