Core concepts

Rate limits

Pentify enforces per-key request rate limits to protect the platform from runaway clients. The defaults are generous and rarely hit by well-behaved integrations.

Default limits

Surface	Limit
Per API key (authenticated)	60 requests / minute
Per IP (public unauth: `/openapi.json`, `/healthz`, `/token-packs`)	30 requests / minute

Higher per-key ceilings are available on Team and Enterprise plans, or on request for self-serve customers with a real reason.

What happens when you hit the ceiling

The API responds with HTTP 429 and the standard error envelope:

HTTP/1.1 429 Too Many Requests
Retry-After: 12
Content-Type: application/json

{
  "error": {
    "code": "rate_limited",
    "message": "Rate limit exceeded for this API key.",
    "request_id": "req_01HFY3..."
  }
}

The Retry-After header tells you how many whole seconds to wait before retrying. Honour it.

Built into the SDKs

The official TypeScript, Python and Go SDKs auto-honour Retry-After values up to 30 seconds, then retry once. Set maxRetries: 0 to disable.

Best practices

Don’t poll harder than every 30 seconds on a single scan. A standard scan takes 10–30 minutes; aggressive polling burns RPM and tokens for no information gain.
Subscribe to webhooks for scan-completion events instead of polling. See Webhooks.
Batch reads — list endpoints support up to 100 items per request.
Use exponential backoff with jitter on retries to avoid thundering-herd resyncs after platform incidents.

Need a higher limit?

Email support@pentify.io with your workspace ID and the use case. We respond within one business day.