Rate limits are enforced per API token, not per IP address or per workspace. Every token gets its own counter.
Default limit
60 requests per minute, per token.
Your workspace administrator can change this in workspace settings (rate_limit_max for the ceiling, rate_limit_decay for the window in minutes). Contact your admin if you need a higher limit.
429 response
When you exceed the limit, Xobito returns HTTP 429 Too Many Requests with this body:
{
"message": "Too many requests",
"retry_after": 45
}
| Field | Meaning |
|---|
message | Always "Too many requests". |
retry_after | Seconds to wait before the next request will be accepted. |
Unlike other endpoints, the 429 response does not include a status field. Treat any response with HTTP status 429 as rate-limited.
Handling 429s
Wait the number of seconds in retry_after, then retry the same request. A simple loop:
async function call(url, options) {
for (let attempt = 0; attempt < 5; attempt++) {
const res = await fetch(url, options);
if (res.status !== 429) return res;
const { retry_after } = await res.json();
await new Promise((r) => setTimeout(r, (retry_after || 1) * 1000));
}
throw new Error("Rate limited after 5 retries");
}
Quotas
Separately from the per-minute limit, tokens can be configured with a monthly quota (total calls per calendar month). When the quota is exhausted, requests are rejected until the quota resets at the start of the next month. Monthly quota is optional and configured per token in Settings → API Management.
Best practices
Use one token per integration, so one noisy service does not starve others.
Back off with retry_after instead of guessing. Xobito returns the exact wait time.
Batch related work where possible — e.g. create contacts in parallel up to your limit, not in a tight loop.
Monitor 429 response counts in your own observability stack.
