Rate Limiting
The Pagamio VAS API enforces rate limits on a small set of high-risk endpoints to protect the platform from abuse and to ensure fair usage.
Rate Limit Policies
| Endpoint | Limit | Scope | Purpose |
|---|---|---|---|
POST /auth/token | 5 requests / minute | IP address | Prevents brute-force credential attacks. |
POST /auth/token/refresh | 10 requests / minute | IP address | Limits abuse of the token refresh endpoint. |
POST /purchase | 10 requests / minute | User token | Protects the transaction pipeline from runaway loops. |
All other endpoints currently have no per-endpoint rate limit. This may change in future releases without breaking the contract — always handle
429responses defensively.
Limits are configurable on the platform side and the values above are the defaults. If your account has a different limit, your account manager will inform you.
What A Rate-Limited Response Looks Like
When a limit is exceeded, the API returns HTTP 429 Too Many Requests with this body:
{
"error": "Too Many Requests",
"message": "Rate limit exceeded for /purchase"
}
The current implementation does not return
Retry-After,X-RateLimit-Limit,X-RateLimit-Remaining, orX-RateLimit-Resetheaders. Do not write client code that depends on these headers.
Recommended Client Behaviour
- On
429, back off and retry. A safe starting policy is exponential backoff with jitter:- Wait 1s, then 2s, then 4s, then 8s (capped at 60s).
- Add up to ±25% random jitter to avoid thundering herd retries.
- Never retry a
429immediately. The bucket refills on a per-minute interval. - Spread bulk operations over time. If you have many merchants transacting through one token, consider one token per merchant where possible.
Last updated: April 2026