API rate limits define the maximum number of API requests a single OneTrust account can make within a given period of time. These limits help us provide the reliable and scalable API that our developer community relies on.
Rate limiting is enabled for Trial, UAT, and Production environments to help control API traffic volumes and to provide reliable service. Analysis of historical usage and minimal account requirements are the key factors to decide the rate limits.
Account-Level Rate Limits
Rate-limiting rules are applicable at the OneTrust account level.
| Rule | Rate Limit | If Violated |
|---|---|---|
| Default Hour Rule | 200,000 / Hour | Traffic is blocked from the account for 1 hour. |
| Default Minute Rule | 20,000 / Minute | Traffic is blocked from the account for 1 minute. |
If the above limits are exceeded, the API request will fail and return a HTTP 429 (Too Many Requests) status code.
For example, if User 1 calls the ABC API 100,000 times and User 2 calls the DEF API 100,000 times, then the account will have reached the API rate limit for the hour. Any API calls requested in excess of this limit will fail and return a HTTP 429 status code.
Account-level rate limiting rules are applicable to all OneTrust modules in all environments. Account-level rules are the default rules that apply to all APIs. However, there are also stricter OneTrust module-level rate limiting rules. Refer to Module-Level Rate Limits.
Sample HTTP Response
HTTP/1.1 429 Too Many Requests
Retry-After: 55
ot-ratelimit-event-id: 84af5a75-1cfa-425e-8b56-1cb276851111
ot-requests-allowed: 20000
ot-period: MINUTE
ot-request-made: 20009
HTTP/1.1 429 Too Many Requests
Retry-After: 2135
ot-ratelimit-event-id: 7a02f248-16fd-4834-9291-245c0a5f7454
ot-requests-allowed: 200000
ot-period: HOUR
ot-request-made: 200567
| Header | Description |
|---|---|
Retry-After | The number of seconds after which requests will be allowed again. |
ot-ratelimit-event-id | The unique identifier for the rate-limiting event. |
ot-requests-allowed | The number of requests allowed within the specified period. |
ot-period | The unit of time for which the rate limit applies. |
ot-request-made | The number of requests made within the specified period. |
Temporary account-level unblocking can be done if needed by adding an override. Please contact OneTrust Support for further assistance on any rate limiting related issues.
Handling 429 Status Code
Below is a rudimentary example of how to handle a 429 status code. You can adapt this example as a starting point to fit your use cases, coding standards, and best practices.
import requests
try:
# Update to Valid Request
response = requests.get(url, headers = headers)
if response.status_code == 429:
# Prints all OneTrust 429 Related Headers
print("Retry-After:",response.headers["Retry-After"])
print("ot-period:",response.headers["ot-period"])
print("ot-ratelimit-event-id:",response.headers["ot-ratelimit-event-id"])
print("ot-requests-allowed:",response.headers["ot-requests-allowed"])
print("ot-request-made:",response.headers["ot-request-made"])
# Suspend Sending Additional Requests until the Retry-After period has elapsed
time.sleep(int(response.headers["Retry-After"]))
return response.content
except requests.exceptions.RequestException as e:
return e
Sandbox Account Rate Limits
Public Preview Notice
The Automated Sandbox Creation feature is currently under Public Preview. Please contact your account representative or OneTrust Support to request early access. For more information, see Managing Sandbox Accounts.
| Rule | Rate Limit | If Violated |
|---|---|---|
| Sandbox Default Hour Rule | 50k Calls/Hour | Traffic is blocked from the account for 2 minutes. |
| Sandbox Default Minute Rule | 5k Calls/Minute | Traffic is blocked from the account for 1 minute. |
Module-Level Rate Limits
The following areas also have module-specific rate limiting rules in addition to the standard account-level rules.
Integration
| Rule | Rate Limit | If Violated | API Path |
|---|---|---|---|
| Default Integration Webhook Minute Rule | 3k Webhook Calls / Minute | Traffic is blocked from the account for 1 minute. | /integrationmanager/api/v1/webhook/* |
Consent & Preference Management
| Rule | Rate Limit | If Violated | API Path |
|---|---|---|---|
| 2k Per Minute Rule | 2k Calls/Minute | The API will not perform on the expected Service Level Objectives (SLOs) level. | POST/request/v1/consentreceipts |
| 3k Per Minute Rule | 3k Calls/Minute | The API will not perform on the expected Service Level Objectives (SLOs) level. | GET/v1/preferences |
| Rule | Rate Limit | If Violated | API Path |
|---|---|---|---|
| Consent API Quota | 5k Calls/Minute, 50k Calls/Hour | 429 ERROR status will returned with a Rate Limit ID and the blocked duration. | GET /v1/datasubjects/profiles |
| Consent API Quota | 5k Calls/Minute, 50k Calls/Hour | 429 ERROR status will returned with a Rate Limit ID and the blocked duration. | GET /v2/datasubjects |
| Consent API Quota | 5k Calls/Minute, 50k Calls/Hour | 429 ERROR status will returned with a Rate Limit ID and the blocked duration. | GET /v3/datasubjects |
For more details, refer Consent API Service Level Objectives.
User Provisioning
| Rule | Rate Limit | If Violated | API Path |
|---|---|---|---|
| User Provisioning API Quota | 2k Calls/Minute, 20k Calls/Hour | 429 ERROR status will returned with a Rate Limit ID and the blocked duration. | /api/scim/* |