RateLimit-Limit
The HTTP RateLimit-Limit unofficial response header is a widely deployed header indicating the maximum number of requests a client is allowed to make within the current rate limit window.
Usage
RateLimit-Limit is one of three separate rate limit HTTP headers introduced in earlier IETF drafts. Together with RateLimit-Remaining and RateLimit-Reset, these headers give clients a clear picture of their rate limit quota and current consumption.
The header uses HTTP Structured Fields syntax. The
simplest form is a bare integer representing the
request quota. A more detailed form appends a policy
with a window parameter (w) indicating the time
window in seconds. Multiple policies are separated by
commas when a server enforces more than one rate limit
simultaneously.
These headers replace the older, non-standard
X-RateLimit-Limit, X-RateLimit-Remaining, and
X-RateLimit-Reset headers. Services like GitLab,
CircleCI, and OKX already send this header.
Note
The current IETF draft
(draft-ietf-httpapi-ratelimit-headers) consolidates
these three separate headers into a single
RateLimit header paired with RateLimit-Policy.
The separate RateLimit-Limit,
RateLimit-Remaining, and RateLimit-Reset names
remain widely deployed but are not the direction
the draft is heading.
Values
quota
An integer representing the maximum number of requests allowed within the current window. Sent as a bare number when no additional policy details are needed.
quota with window policy
The quota followed by a policy parameter w specifying
the window duration in seconds. The format is
<quota>;w=<seconds>. A policy name is optionally
included as an additional parameter.
Example
A simple quota of 500 requests per rate limit window. GitLab sends this format across its API and web endpoints.
RateLimit-Limit: 500
An API returning a quota of 120 requests with an
explicit 60-second window. The w parameter defines
the window length in seconds.
RateLimit-Limit: 120;w=60
A server enforcing two separate policies at once. The first allows 100 requests per 60-second window, and the second allows 1000 requests per 3600-second window.
RateLimit-Limit: 100;w=60, 1000;w=3600
When all three rate limit headers appear together, a client sees the full picture of remaining quota and time until reset.
RateLimit-Limit: 500
RateLimit-Remaining: 359
RateLimit-Reset: 60
Takeaway
The RateLimit-Limit header communicates the maximum number of requests allowed within the current rate limit window, giving API clients the information needed to pace requests and avoid 429 responses.
See also
- RateLimit Fields for HTTP (draft-ietf-httpapi-ratelimit-headers)
- RateLimit-Remaining
- RateLimit-Reset
- Retry-After
- 429
- HTTP headers