Overview

You're asking for too much, slow down.

Takeaways

  1. The user has sent too many requests in a given amount of time ("rate limiting").
  2. The response representations should include details explaining the condition.
  3. The response may include a Retry-After header indicating how long to wait before making a new request.

Example

HTTP/1.1 429 Too Many Requests
Content-Type: text/html
Retry-After: 3600
<html>
  <head>
    <title>Too Many Requests</title>
  </head>
  <body>
    <h1>Too Many Requests</h1>
    <p>I only allow 50 requests per hour to this Web site per
    logged in user. Try again soon.</p>
  </body>
</html>

Information

The specification does not define how the origin server identifies the user, nor how it counts requests. For example, an origin server that is limiting request rates can do so based upon counts of requests on a per-resource basis, across the entire server, or even among a set of servers. Likewise, it might identify the user by its authentication credentials, or a stateful cookie.

Responses with the 429 status code must not be stored by a cache.

Further Reading

Specification

429 Too Many Requests | The HTTP Working Group

429 Too Many Requests

MDN web docs

Retry-After header field

Kenneally | Techno loving working group (TLWG)