Rate Limiting

How the brin API enforces request rate limits per client IP

The API enforces IP-based rate limiting on all endpoints. No authentication is required, so rate limits are applied per client IP address — one client hitting the limit does not affect others.

##Limits

Each IP address gets an independent quota. Once the burst allowance is exhausted, requests are throttled to 1 per second until tokens replenish.

##Response headers

Every API response includes rate limit headers so clients can track their quota:

x-ratelimit-limit:      60
x-ratelimit-remaining:  58
x-ratelimit-after:      0

##Rate-limited responses

When the limit is exceeded, the API returns HTTP 429 Too Many Requests:

{
  "error": "rate_limit_exceeded"
}

The response includes a Retry-After header indicating how many seconds to wait before retrying.

HTTP/1.1 429 Too Many Requests
Retry-After: 1
Content-Type: application/json
 
{ "error": "rate_limit_exceeded" }

##Client IP detection

Behind reverse proxies, the client IP is extracted in the following order:

1. X-Forwarded-For header
2. X-Real-IP header
3. TCP peer address (fallback)

This means requests routed through load balancers and CDNs are correctly attributed to the originating client.

##Best practices

• Use /bulk for batch lookups — a single bulk request with up to 100 items counts as one request against your quota.
• Read the response headers — check x-ratelimit-remaining to know when you are approaching the limit.
• Honor Retry-After — when you receive a 429, wait the indicated number of seconds before retrying.
• Avoid tight loops — if you need to look up many artifacts sequentially, add a small delay between requests or batch them with /bulk.