Rate limits
Monthly quotas per plan, what happens at the limit, and how to read X-RateLimit headers.
Every plan has a monthly quota and a burst rate limit. Cache hits are free and don't count toward either.
Plan quotas
| Plan | Monthly quota | Burst rate | API keys |
|---|---|---|---|
| Free | 500 | 30 req/min | 2 |
| Starter | 2,000 | 45 req/min | 5 |
| Pro | 10,000 | 90 req/min | 10 |
| Business | 50,000 | 180 req/min | Unlimited |
Test-mode keys (vtv_test_) bypass all plan gates entirely.
Burst rate limiting
Each API key is limited to a per-minute request rate based on its plan. The burst check runs before the monthly quota check. If you exceed the burst limit, you get a 429 with a Retry-After header indicating when the current minute window resets.
Burst limits protect upstream registries from traffic spikes. Cached responses are fast (under 2ms) and don't count against burst limits.
/v1/rates endpoint
The public /v1/rates endpoint has a separate IP-based rate limit of 20 requests per hour for unauthenticated callers. Authenticated callers (any valid API key) get unlimited access to rates data.
Response headers
Every successful response includes:
X-RateLimit-Limit: 10000
X-RateLimit-Remaining: 9876
X-RateLimit-Reset: 1714521600Reset is a Unix timestamp for when your quota resets (always 00:00 UTC on the 1st of the next month).
Hitting the limit
When you exceed quota, we return:
{
"error": {
"code": "rate_limited",
"message": "Monthly quota exceeded."
},
"meta": {
"request_id": "a1b2c3d4-...",
"latency_ms": 0
}
}Also with Retry-After: <seconds> header.
What counts: one live registry call per request. Cache hits are free. Test-mode calls are free.