X-RateLimit-Limit
The HTTP X-RateLimit-Limit unofficial response header communicates the maximum number of requests allowed within the current rate limit window.
Standardized successor
The IETF is standardizing rate limit signaling under the
RateLimit and
RateLimit-Policy response fields, a
vendor-neutral replacement for the de facto
X-RateLimit-* headers.
Usage
The X-RateLimit-Limit header is part of a widely adopted convention for communicating rate limit information in HTTP responses. APIs include this header alongside X-RateLimit-Remaining (how many requests are left) and X-RateLimit-Reset (when the window resets) to give clients visibility into their consumption against the allowed quota.
Services like GitHub send X-RateLimit-Limit in API responses, and the pattern is widely adopted across REST APIs. The value represents the total request budget for the current window. When a client exceeds this limit, the server responds with a 429 status code and a Retry-After header indicating when the client is allowed to resume sending requests.
The IETF has published a draft standard as part of a
broader effort to formalize rate limit
HTTP headers. Earlier versions of the
draft defined separate RateLimit-Limit,
RateLimit-Remaining, and RateLimit-Reset fields,
but the current proposal
(draft-ietf-httpapi-ratelimit-headers) consolidates
these into two fields: RateLimit and
RateLimit-Policy. Once widely adopted, the
standardized headers are intended to replace the
X- prefixed convention.
Note
The "X-" naming convention for HTTP headers, "X" referring to "experimental", has been deprecated and needs to be transitioned to the formal naming convention for HTTP headers.
Values
The value is a number representing the maximum allowed requests in the current rate limit window. The number is typically an integer, though some implementations use decimal values.
X-RateLimit-Limit: <number>
The meaning of the window (per minute, per hour, per
day) depends on the API. This header does not encode
the window duration directly. Clients rely on
X-RateLimit-Reset or API documentation for timing
details.
Example
A typical API response includes all three rate limit headers together. This example shows a limit of 60 requests per window, with 45 remaining and a reset timestamp in Unix epoch seconds.
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 45
X-RateLimit-Reset: 1714003200
Some APIs set higher limits. A value of 1000 indicates the API allows up to 1,000 requests per window. This is common in public-facing REST APIs with generous quotas.
X-RateLimit-Limit: 1000
Certain implementations use fractional values to
represent calculated rates. A value like
952.38095238095 reflects a per-second rate
multiplied across the window duration, a pattern
seen in e-commerce platform APIs.
X-RateLimit-Limit: 952.38095238095
See also
- X-RateLimit-Remaining
- X-RateLimit-Reset
- RateLimit
- RateLimit-Policy
- Retry-After
- X-Request-Id
- 429
- HTTP headers