Rate Limits
The Driftwood API enforces rate limits to ensure fair usage and platform stability.
Default Limits
Section titled “Default Limits”| Authentication Type | Rate | Burst |
|---|---|---|
| Public (unauthenticated) | 5 req/s | 10 |
| User token | 10 req/s | 20 |
| OAuth app token | 50 req/s | 100 |
Rate is the sustained request rate. Burst is the maximum number of requests allowed in a short spike.
Per-Endpoint Limits
Section titled “Per-Endpoint Limits”Some endpoints have stricter limits:
| Endpoint | Rate | Burst |
|---|---|---|
auth-login | 3 req/s | 5 |
users-forgot-password | 3 req/s | 5 |
users-reset-password | 5 req/s | 10 |
Rate Limit Scoping
Section titled “Rate Limit Scoping”- Public endpoints: Limited by IP address
- Authenticated endpoints: Limited by user ID or OAuth app ID
When You’re Rate Limited
Section titled “When You’re Rate Limited”You’ll receive a 429 Too Many Requests response:
{ "ok": false, "error": { "code": "rate_limit.exceeded", "message": "Too many requests" }}Best Practices
Section titled “Best Practices”- Cache tokens — Don’t request a new token for every API call
- Use exponential backoff — When rate limited, wait 1s, then 2s, then 4s
- Batch where possible — Use bulk operations instead of many individual calls
- Use webhooks — Subscribe to events instead of polling for changes
- Spread requests — Distribute API calls evenly over time rather than bursting