API Rate Limits

API rate limits define the maximum number of API requests a single OneTrust account can make within a given period of time. These limits help us provide the reliable and scalable API that our developer community relies on.

Rate limiting is enabled for Trial, UAT, and Production environments to help control API traffic volumes and to provide reliable service. Analysis of historical usage and minimal account requirements are the key factors to decide the rate limits.

Account-Level Rate Limits

Rate-limiting rules are applicable at the OneTrust account level.

RuleRate LimitIf Violated
Default Hour Rule200,000 / HourTraffic is blocked from the account for 1 hour.
Default Minute Rule20,000 / MinuteTraffic is blocked from the account for 1 minute.

If the above limits are exceeded, the API request will fail and return a HTTP 429 (Too Many Requests) status code.

📘

For example, if User 1 calls the ABC API 100,000 times and User 2 calls the DEF API 100,000 times, then the account will have reached the API rate limit for the hour. Any API calls requested in excess of this limit will fail and return a HTTP 429 status code.

👍

Account-level rate limiting rules are applicable to all OneTrust modules in all environments. Account-level rules are the default rules that apply to all APIs. However, there are also stricter OneTrust module-level rate limiting rules. Refer to Module-Level Rate Limits.

Sample HTTP Response

HTTP/1.1 429 Too Many Requests

Retry-After: 55
ot-ratelimit-event-id: 84af5a75-1cfa-425e-8b56-1cb276851111
ot-requests-allowed: 20000
ot-period: MINUTE
ot-request-made: 20009
HTTP/1.1 429 Too Many Requests

Retry-After: 2135
ot-ratelimit-event-id: 7a02f248-16fd-4834-9291-245c0a5f7454
ot-requests-allowed: 200000
ot-period: HOUR
ot-request-made: 200567
HeaderDescription
Retry-AfterThe number of seconds after which requests will be allowed again.
ot-ratelimit-event-idThe unique identifier for the rate-limiting event.
ot-requests-allowedThe number of requests allowed within the specified period.
ot-periodThe unit of time for which the rate limit applies.
ot-request-madeThe number of requests made within the specified period.

👍

Temporary account-level unblocking can be done if needed by adding an override. Please contact OneTrust Support for further assistance on any rate limiting related issues.

Handling 429 Status Code

Below is a rudimentary example of how to handle a 429 status code. You can adapt this example as a starting point to fit your use cases, coding standards, and best practices.

import requests
try:
  	# Update to Valid Request
    response = requests.get(url, headers = headers)
    if response.status_code == 429:
        # Prints all OneTrust 429 Related Headers 
        print("Retry-After:",response.headers["Retry-After"])
        print("ot-period:",response.headers["ot-period"])
        print("ot-ratelimit-event-id:",response.headers["ot-ratelimit-event-id"])
        print("ot-requests-allowed:",response.headers["ot-requests-allowed"])
        print("ot-request-made:",response.headers["ot-request-made"])
        # Suspend Sending Additional Requests until the Retry-After period has elapsed
        time.sleep(int(response.headers["Retry-After"]))
    return response.content
except requests.exceptions.RequestException as e:
    return e

Sandbox Account Rate Limits

RuleRate LimitIf Violated
Sandbox Default Hour Rule50k Calls/HourTraffic is blocked from the account for 2 minutes.
Sandbox Default Minute Rule5k Calls/MinuteTraffic is blocked from the account for 1 minute.

Module-Level Rate Limits

The following areas also have module-specific rate limiting rules in addition to the standard account-level rules.

Integration

RuleRate LimitIf ViolatedAPI Path
Default Integration Webhook Minute Rule3k Webhook Calls / MinuteTraffic is blocked from the account for 1 minute./integrationmanager/api/v1/webhook/*

Consent & Preference Management

RuleRate LimitIf ViolatedAPI Path
2k Per Minute Rule2k Calls/MinuteThe API will not perform on the expected Service Level Objectives (SLOs) level.POST /request/v1/consentreceipts
3k Per Minute Rule3k Calls/MinuteThe API will not perform on the expected Service Level Objectives (SLOs) level.GET /v1/preferences
1K Per Minute Rule1K Calls/MinuteThe API will not perform on the expected Service Level Objectives (SLOs) level.GET /v4/datasubjects/basic-details
1K Per Minute Rule1K Calls/MinuteThe API will not perform on the expected Service Level Objectives (SLOs) level.GET /v4/datasubjects/details
1K Per Minute Rule1K Calls/MinuteThe API will not perform on the expected Service Level Objectives (SLOs) level.GET /v4/datasubjects/ds-profiles
1K Per Minute Rule1K Calls/MinuteThe API will not perform on the expected Service Level Objectives (SLOs) level.GET /v4/datasubjects/profiles/{purposeGuid}
RuleRate LimitIf ViolatedAPI Path
Consent API Quota300 Calls/Minute, 18k Calls/Hour429 ERROR status will returned with a Rate Limit ID and the blocked duration.GET /v1/datasubjects/profiles
Consent API Quota300 Calls/Minute, 18k Calls/Hour429 ERROR status will returned with a Rate Limit ID and the blocked duration.GET /v2/datasubjects
Consent API Quota1k Calls/Minute, 60k Calls/Hour429 ERROR status will returned with a Rate Limit ID and the blocked duration.GET /v3/datasubjects

For more details, refer Consent API Service Level Objectives.

User Provisioning

RuleRate LimitIf ViolatedAPI Path
User Provisioning API Quota2k Calls/Minute, 20k Calls/Hour429 ERROR status will returned with a Rate Limit ID and the blocked duration./api/scim/*