Our system does not apply any rate limits for server-to-server API calls. Instead, we aim to grow your system with you to handle the throughput needs of your business.

That said, we do apply certain rate limits on browser/app-to-server API calls in order to prevent enumeration attacks, preventing a malicious party from enumerating credit, debit, or scheme cards to check their validity.

Enumeration prevention

In order to prevent enumeration attacks, the following limits are applied.

Token & EndpointsLimit
A JWT token with the embed scope used with the following endpoints.

POST /gift-cards/balances
POST /gift-cards
POST /transactions
This limits tokens for use with Embed or other frontend integrations from iterating over scheme and gift card numbers. Server-to-server calls are not affected.
A Checkout Session ID used with the following endpoint.

POST /checkout/sessions/:id/fields
This endpoint is used by Secure Fields for storing scheme card details and prevents the over-use of the session ID to store and validate card details.

Rate limit

The current rate limit for these endpoints is set to approximately 50 requests per minute across all endpoints, per token. This value may be adjusted downward in time to adjust for enumeration attacks.

We recommend generating a new checkout session ID or JWT token for every checkout, to prevent a user from being rate-limited.