X-RateLimit-Limit

The HTTP X-RateLimit-Limit response header is an unofficial HTTP header indicating the maximum number of requests a client is allowed to make within the current rate limit window.

Table of Contents

Usage

The X-RateLimit-Limit header is part of a widely adopted convention for communicating rate limit information in HTTP responses. APIs include this header alongside X-RateLimit-Remaining (how many requests are left) and X-RateLimit-Reset (when the window resets) to give clients visibility into their consumption against the allowed quota.

Services like GitHub send X-RateLimit-Limit in API responses, and the pattern is widely adopted across REST APIs. The value represents the total request budget for the current window. When a client exceeds this limit, the server responds with a 429 status code and a Retry-After header indicating when the client is allowed to resume sending requests.

The IETF has published a draft standard as part of a broader effort to formalize rate limit HTTP headers. Earlier versions of the draft defined separate RateLimit-Limit, RateLimit-Remaining, and RateLimit-Reset fields, but the current proposal (draft-ietf-httpapi-ratelimit-headers) consolidates these into two fields: RateLimit and RateLimit-Policy. Once widely adopted, the standardized headers are intended to replace the X- prefixed convention.

Note

The "X-" naming convention for HTTP headers, "X" referring to "experimental", has been deprecated and needs to be transitioned to the formal naming convention for HTTP headers.

Values

The value is a number representing the maximum allowed requests in the current rate limit window. The number is typically an integer, though some implementations use decimal values.

X-RateLimit-Limit: <number>

The meaning of the window (per minute, per hour, per day) depends on the API. This header does not encode the window duration directly. Clients rely on X-RateLimit-Reset or API documentation for timing details.

Example

A typical API response includes all three rate limit headers together. This example shows a limit of 60 requests per window, with 45 remaining and a reset timestamp in Unix epoch seconds.

X-RateLimit-Limit: 60
X-RateLimit-Remaining: 45
X-RateLimit-Reset: 1714003200

Some APIs set higher limits. A value of 1000 indicates the API allows up to 1,000 requests per window. This is common in public-facing REST APIs with generous quotas.

X-RateLimit-Limit: 1000

Certain implementations use fractional values to represent calculated rates. A value like 952.38095238095 reflects a per-second rate multiplied across the window duration, a pattern seen in e-commerce platform APIs.

X-RateLimit-Limit: 952.38095238095

Takeaway

The X-RateLimit-Limit header communicates the maximum number of requests allowed in a rate limit window. Paired with X-RateLimit-Remaining and X-RateLimit-Reset, this header gives API clients the information needed to stay within usage quotas.

See also

Last updated: March 6, 2026