Skip to main content
Mock API Builder
Learning Center/Rate Limiting
Working with APIs

Rate Limiting

Protect your APIs and simulate real-world usage limits

What Rate Limiting Protects

Every mock endpoint you create is reachable without authentication when its project is public — that's the point of a shareable mock API. Since there's no login to gate abuse on those calls, Mock API Builder applies a fixed rate limit to every request that hits the mock executor, per client IP address. This is a platform-level guard against denial-of-service, not a per-project setting you configure — there's no UI to change these numbers.

Two Limits, Depending on How You Call Your API

  • Calling directly (your authenticated project): 300 requests per minute, per IP, on a fixed one-minute window.
  • Calling via a shared link: tracked per share token + IP, with a base limit and a shorter burst window. Reads (GET) get 300/min with a 60-request/10s burst allowance; writes (POST/PUT/PATCH/DELETE) get 60/min with a 20-request/10s burst allowance.

How It Works

Both limiters use a fixed window: once your first request in a window arrives, a counter starts and resets after the window elapses (not a rolling/sliding average). The share-token limiter additionally tracks a short burst window so a quick spike doesn't immediately exhaust your per-minute budget, but sustained traffic above the base rate still gets limited.

Request arrives

The executor checks the counter for this IP (or token+IP) before doing any database work.

Under the limit

The request proceeds normally; response headers report how much of the window's quota remains.

Over the limit

The executor short-circuits with a 429 Too Many Requests response before touching the database.

Error Response (429)

When limited, clients receive a 429 Too Many Requests status with these headers and body:

json

Integration Example

Standard fetch implementation with retry logic:

javascript

Best Practices

  • Watch X-RateLimit-Remaining so your client can throttle itself before hitting a 429.
  • Respect Retry-After rather than retrying immediately after a 429.
  • Load-testing a mock API? Space requests out or test against a project you access directly rather than through a shared link, since the shared-link write limit (60/min) is the tightest of the two.
Previous: Authentication & AuthorizationNext: Security Best Practices
Mock API Builder

Built for developers, by developers

DocumentationContactPrivacy PolicyTerms of Service

© 2026 Mock API Builder. All rights reserved.

Double-click for what's new
Learning Center
Learning Center