What is an API rate limit?
An API rate limit is a restriction on how many requests a client can make within a given time window. APIs enforce rate limits to protect infrastructure, ensure fair usage, and prevent abuse. When a client exceeds the limit, the server typically responds with an HTTP 429 Too Many Requests status code.
What does HTTP 429 mean?
HTTP 429 Too Many Requests indicates that the client has sent more requests than the server allows in a given time period. The response often includes a Retry-After header specifying when the client can try again. This tool counts 429 responses to help you identify at what request rate the API begins rate limiting.
How does concurrency affect rate limit testing?
Concurrency determines how many requests are in flight simultaneously. Higher concurrency means more requests hit the server in a shorter window, which can trigger rate limits sooner. Testing at different concurrency levels reveals whether limits are based on total request volume per time window or on concurrent connection count.
Why do some requests show network errors instead of status codes?
Network errors occur when the browser cannot complete the HTTP connection. Common causes include: CORS restrictions (the API does not allow cross-origin requests from a browser), DNS failures, SSL/TLS certificate errors, or the server being unreachable. CORS is the most common cause when testing APIs that were not designed for direct browser access.
What is CORS and why does it affect this tool?
CORS (Cross-Origin Resource Sharing) is a browser security mechanism that blocks requests from one origin (like this page) to a different origin (like your API) unless the API explicitly allows it via Access-Control-Allow-Origin headers. Server-side tools and curl are not affected by CORS. To bypass CORS in testing, run this tool against APIs you control that have permissive CORS headers, or use a CORS proxy.
What is the difference between rate limiting and throttling?
Rate limiting enforces a hard cap — once exceeded, requests are rejected with 429. Throttling slows requests down rather than rejecting them, introducing artificial delays. Many APIs use both: throttling at normal load and hard limits at extreme load. This tool identifies the point where hard limits kick in by tracking 429 responses.
What does 'requests per second' (RPS) mean in the results?
Requests per second (RPS) is the total number of completed requests divided by the elapsed test time in seconds. It measures your effective throughput under the configured concurrency and delay settings. A high RPS with many 429 responses suggests you are hitting the rate limit ceiling of the API.
How do I find the exact rate limit of an API?
Start with a low number of requests and low concurrency. Gradually increase both until you see 429 responses appear. The request count or RPS at which 429s begin indicates the rate limit threshold. Also check the API's documentation and response headers — many APIs include rate limit info in X-RateLimit-Limit, X-RateLimit-Remaining, and Retry-After headers.
Is this tool safe to use on production APIs?
Only test APIs you own or have explicit permission to test. Sending many rapid requests to a production API without authorization may violate the API's terms of service, trigger security alerts, or temporarily block your IP address. Use staging or development environments when possible.
Does this tool store my API URL or headers?
No. All configuration and request execution happens entirely in your browser. No input is sent to Digia servers. Your API URL, headers, and request body never leave your device.