> ## Documentation Index
> Fetch the complete documentation index at: https://docs.gr4vy.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Rate limiting

> Rate limits and enumeration prevention

The system does not apply any rate limits for server-to-server API calls. Instead,
the system aims to grow with the business to handle the throughput needs required.

That said, certain rate limits are applied on browser/app-to-server API calls in order
to prevent enumeration attacks, preventing a malicious party from enumerating credit, debit,
or scheme cards to check their validity.

## Enumeration prevention

In order to prevent enumeration attacks, the following limits are applied.

| Token & Endpoints                                                                                                                                                                                                                                                                                                      | Limit                                                                                                                                                           |
| ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| A [JWT token](./authentication) with the `embed` scope used with the following endpoints.<br /><br /> [`POST /gift-cards/balances`](/reference/gift-cards/list-gift-card-balances)<br />[`POST /gift-cards`](/reference/gift-cards/new-gift-card)<br />[`POST /transactions`](/reference/transactions/new-transaction) | This limits tokens for use with Embed or other frontend integrations from iterating over scheme and gift card numbers. Server-to-server calls are not affected. |
| A [Checkout Session ID](/reference/checkout-sessions/new-checkout-session) used with the following endpoint.<br /><br /> [`POST /checkout/sessions/:id/fields`](/reference/checkout-sessions/update-checkout-session-fields)                                                                                           | This endpoint is used by Secure Fields for storing scheme card details and prevents the over-use of the session ID to store and validate card details.          |

<Warning>
  **Rate limit**

  The current rate limit for these endpoints is set to approximately 50 requests per minute across all endpoints, per token. This value may be adjusted downward in time to adjust for enumeration attacks.

  Generating a new checkout session ID or JWT token for every checkout is recommended to prevent a user from being rate-limited.
</Warning>