HTTP Status Codes

429 429 Too Many Requests

The client has exceeded the rate limit and should slow down.

What Is This?

The HTTP 429 Too Many Requests status code indicates that the client has exceeded the rate limit for requests. The response should include Retry-After header indicating how long the client should wait before making another request. Rate limiting protects APIs from abuse, ensures fair usage, and maintains service stability.

Common Causes & Solutions

1

Common Cause

Sending requests faster than the API rate limit allows

2

Common Cause

Scripts or bots making automated requests without throttling

3

Common Cause

Distributed denial-of-service (DDoS) attack or accidental traffic spike

4

Common Cause

Missing pagination — fetching large datasets one item at a time instead of batching

5

Implement exponential backoff

When receiving 429, wait and retry with increasing delays to avoid overwhelming the server.

// Exponential backoff with jitter
async function fetchWithRetry(url, options = {}, maxRetries = 5) {
  for (let i = 0; i < maxRetries; i++) {
    const response = await fetch(url, options)
    if (response.status !== 429) return response
    
    const retryAfter = parseInt(response.headers.get('Retry-After') || '1')
    const wait = Math.min(1000 * Math.pow(2, i) + Math.random() * 1000, retryAfter * 1000)
    await new Promise(r => setTimeout(r, wait))
  }
  throw new Error('Max retries exceeded')
}
6

Implement server-side rate limiting

Add rate limiting middleware to your API to protect against abuse.

// Express.js with express-rate-limit
import rateLimit from 'express-rate-limit'

const limiter = rateLimit({
  windowMs: 15 * 60 * 1000, // 15 minutes
  max: 100, // limit each IP to 100 requests per windowMs
  standardHeaders: true,
  legacyHeaders: false,
  message: {
    error: 'Too Many Requests',
    message: 'You have exceeded the rate limit. Please retry later.'
  }
})

app.use('/api/', limiter)

Related Entries

More from this reference:

400 400 Bad Request

The server cannot process the request due to client-side input errors.

401 401 Unauthorized

Authentication is required but was missing or invalid.

403 403 Forbidden

The client is authenticated but does not have permission to access the resource.

404 404 Not Found

The requested resource could not be found on the server.

405 405 Method Not Allowed

The HTTP method used is not allowed for this resource.

408 408 Request Timeout

The server timed out waiting for the client to send the complete request.

413 413 Payload Too Large

The request body exceeds the server's maximum allowed size.

422 422 Unprocessable Entity

The request has valid syntax but contains semantic validation errors.

Frequently Asked Questions

What headers should I include with 429?

Include Retry-After (seconds or date), X-RateLimit-Limit (max requests per window), X-RateLimit-Remaining (requests remaining), and X-RateLimit-Reset (when the window resets) headers.

Can 429 be triggered by other limits besides request count?

Yes. 429 is also used for bandwidth limits, concurrent connection limits, and CPU usage limits. The response body should explain which limit was exceeded.

Browse All HTTP Status Codes