Rate Limits
Akol enforces per-endpoint rate limits to protect the platform and your account. Limits are tracked per IP for unauthenticated routes and per user for authenticated ones.
Limits by category
| Category | Endpoints | Limit |
|---|---|---|
| Auth (standard) | /auth/login, /auth/register | 10 requests / minute |
| Auth (strict) | /auth/forgot-password, /auth/reset-password, /auth/resend-verification | 5 requests / 15 min |
| 2FA validation | /auth/verify-2fa, /auth/2fa/enable | 5 requests / 15 min |
| Phone purchase | /phone-numbers/purchase | 20 requests / minute |
| Data export | /users/me/export | 3 requests / hour |
| Default authed | All other authenticated endpoints | 100 requests / minute |
Account lockout (auth-specific)
After 5 failed login attempts on the same email, the account is locked for 30 minutes. After 20 failed attempts from the same IP (across any account), the IP is blocked for 15 minutes. These are in addition to the per-minute rate limit.
What you get back when throttled
HTTP/1.1 429 Too Many Requests
Retry-After: 42
{
"success": false,
"error": "Too many requests. Please try again later."
}Retry-After is in seconds. Wait at least that long before retrying.
For login-specific responses, you may also see:
423 Locked— the account itself is locked (different from rate limit)429with body mentioning “too many failed login attempts” — IP-level block
Best practices
- Honor
Retry-After. Don’t aggressively retry — backoff is enforced per IP and excessive retries lengthen the cooldown. - Use exponential backoff even when no
Retry-Afteris present. - Cache GETs that don’t change frequently (agent definitions, business
info). Most resources have an
updatedAtfor ETag-style caching. - For long-running integrations, use personal access tokens (not login tokens) so your service-account traffic doesn’t compete with user logins.
Bulk operations
Endpoints that touch large datasets (call exports, transcript downloads) often have separate, stricter limits. The data-export endpoint, for example, is capped at 3 calls per hour per user. If you need to pull large volumes regularly, contact us at support@akol.ai about bulk export options.