API rate limits define the maximum number of API requests a single OneTrust account can make within a given period of time. These rate limits help protect platform stability, prevent a single workload from affecting other customers, and ensure predictable performance during traffic spikes in order to provide reliable and scalable APIs that our developer community relies on.
Rate limiting is enabled for Trial, UAT, and Production environments to help control API traffic volumes and to provide reliable service. Analysis of historical usage and minimal account requirements are the key factors to decide the rate limits.
Account-Level Rate Limits
Rate-limiting rules are applicable at the OneTrust account level.
| Rule | Rate Limit | If Violated |
|---|---|---|
| Default Hour Rule | 200,000 / Hour | HTTP 429 (Too Many Requests) response will be returned with a Retry-After header indicating the wait time. |
| Default API Rate Limit | 1,000 / Minute | HTTP 429 (Too Many Requests) response will be returned with a Retry-After header indicating the wait time. |
How limits are evaluatedRequests must satisfy both the account-level and API-level limits. The 200,000 requests/hour limit applies across the entire account, while the 1,000 requests/minute limit applies to each API endpoint individually. If the above limits are exceeded, the API request will fail and return a HTTP 429 (Too Many Requests) status code.
For example, if a specific API has a rate limit of 1,000 requests per minute, then any requests beyond 1,000 to that API within the same minute will fail and return an HTTP 429 status code. However, if API A = 600 requests/minute and API B = 500 requests/minute, neither API exceeds the 1,000 requests/minute limit, so requests will continue successfully even though the combined volume exceeds 1,000 requests/minute.
Separately, if API A = 60,000 requests, API B = 50,000 requests, API C = 40,000 requests, and API D = 50,000 requests within 1 hour, the account will reach the 200,000 requests per hour account-level limit. Subsequent requests may receive HTTP 429 responses until the hourly window resets.
Account-level rate limiting rules are applicable to all OneTrust products in all environments. Account-level rules are the default rules that apply to all APIs. However, there are also stricter OneTrust module-level rate limiting rules. Refer to Module-Level Rate Limits.
Sample HTTP Response
HTTP/1.1 429 Too Many Requests
Retry-After: 55
ot-ratelimit-event-id: 84af5a75-1cfa-425e-8b56-1cb276851111
ot-requests-allowed: 1000
ot-period: MINUTE
ot-request-made: 1009HTTP/1.1 429 Too Many Requests
Retry-After: 2135
ot-ratelimit-event-id: 7a02f248-16fd-4834-9291-245c0a5f7454
ot-requests-allowed: 200000
ot-period: HOUR
ot-request-made: 200567| Header | Description |
|---|---|
Retry-After | The number of seconds after which requests will be allowed again. |
ot-ratelimit-event-id | The unique identifier for the rate-limiting event. |
ot-requests-allowed | The number of requests allowed within the specified period. |
ot-period | The unit of time for which the rate limit applies. |
ot-request-made | The number of requests made within the specified period. |
Existing customer workloads that exceed default thresholds can be covered through approved overrides. Overrides are evaluated on a case-by-case basis and are not automatically provisioned for new implementations, integrations, or traffic increases.
If rate limiting is impacting production workloads, contact OneTrust Support with:
• Tenant ID
• API endpoint
• Request volume
• Business justification
Handling 429 Status Code
Below is a rudimentary example of how to handle a 429 status code. You can adapt this example as a starting point to fit your use cases, coding standards, and best practices.
import requests
try:
# Update to Valid Request
response = requests.get(url, headers = headers)
if response.status_code == 429:
# Prints all OneTrust 429 Related Headers
print("Retry-After:",response.headers["Retry-After"])
print("ot-period:",response.headers["ot-period"])
print("ot-ratelimit-event-id:",response.headers["ot-ratelimit-event-id"])
print("ot-requests-allowed:",response.headers["ot-requests-allowed"])
print("ot-request-made:",response.headers["ot-request-made"])
# Suspend Sending Additional Requests until the Retry-After period has elapsed
time.sleep(int(response.headers["Retry-After"]))
return response.content
except requests.exceptions.RequestException as e:
return e
Best PracticeApplications should honor the
Retry-Afterheader and implement exponential backoff when retrying rate-limited requests.
Sandbox Account Rate Limits
| Rule | Rate Limit | If Violated |
|---|---|---|
| Sandbox Default Hour Rule | 50k Calls/Hour | HTTP 429 (Too Many Requests) response will be returned with a Retry-After header indicating the wait time. |
| Sandbox Default API Rate Limit | 250 Calls/Minute | HTTP 429 (Too Many Requests) response will be returned with a Retry-After header indicating the wait time. |
Module-Level Rate Limits
The following areas also have module-specific rate limiting rules in addition to the standard account-level rules.
Integration
| Rule | Rate Limit | If Violated | API Path |
|---|---|---|---|
| Default Integration Webhook Minute Rule | 3k Webhook Calls / Minute | Traffic is blocked from the account for 1 minute. | /integrationmanager/api/v1/webhook/* |
Universal Consent & Preference Management
| Rule | Rate Limit | If Violated | API Path |
|---|---|---|---|
| 2k Per Minute Rule | 2k Calls/Minute | The API will not perform on the expected Service Level Objectives (SLOs) level. | POST /request/v1/consentreceipts |
| 3k Per Minute Rule | 3k Calls/Minute | The API will not perform on the expected Service Level Objectives (SLOs) level. | GET /v1/preferences |
| 1k Per Minute Rule | 1k Calls/Minute | The API will not perform on the expected Service Level Objectives (SLOs) level. | GET /v4/datasubjects/basic-details |
| 1k Per Minute Rule | 1k Calls/Minute | The API will not perform on the expected Service Level Objectives (SLOs) level. | GET /v4/datasubjects/details |
| 1k Per Minute Rule | 1k Calls/Minute | The API will not perform on the expected Service Level Objectives (SLOs) level. | GET /v4/datasubjects/ds-profiles |
| 1k Per Minute Rule | 1k Calls/Minute | The API will not perform on the expected Service Level Objectives (SLOs) level. | GET /v4/datasubjects/profiles/{purposeGuid} |
| Default Consent Ingestion Provisioned | 3k Calls/Minute | The API will not perform on the expected Service Level Objectives (SLOs) level. | POST /v1/consentreceipts/bulk |
| Rule | Rate Limit | If Violated | API Path |
|---|---|---|---|
| Consent API Quota | 300 Calls/Minute, 18k Calls/Hour | 429 ERROR status will returned with a Rate Limit ID and the blocked duration. | GET /v1/datasubjects/profiles |
| Consent API Quota | 300 Calls/Minute, 18k Calls/Hour | 429 ERROR status will returned with a Rate Limit ID and the blocked duration. | GET /v2/datasubjects |
| Consent API Quota | 1k Calls/Minute, 60k Calls/Hour | 429 ERROR status will returned with a Rate Limit ID and the blocked duration. | GET /v3/datasubjects |
For more details, refer to Consent API Service Level Objectives.
User Provisioning
| Rule | Rate Limit | If Violated | API Path |
|---|---|---|---|
| User Provisioning API Quota | 2k Calls/Minute, 20k Calls/Hour | 429 ERROR status will returned with a Rate Limit ID and the blocked duration. | /api/scim/* |