2 min read
Public ring: a fixed window per IP
The public ring caps each caller at 60 requests per 60-second window, keyed to the source IP. It is evaluated at the edge, so a throttled request never touches application code. When you exceed the window you get a 429 — wait for the window to roll and continue. For higher sustained throughput you need a partner project.
Partner ring: a token bucket per project
The partner ring meters with a token bucket scoped to your project, not to an individual key or token. Each bucket has a sustained refill rate and a burst capacity; a request costs one token and reads and writes are weighted equally. Because the bucket refills continuously, you can spend your burst in a short spike and settle back to the sustained rate without being locked out for a full minute.
Defaults: build (sandbox) 10 req/s / burst 50; launch 25 req/s / burst 100; scale 100 req/s / burst 400. Sandbox is fixed at build tier regardless of your live tier.
Per-endpoint sub-limits
Some partner endpoints carry their own tighter cap because each call is expensive:
| Endpoint | Sub-limit | Why |
|---|---|---|
| POST /applications | 5 req/s | Each opens a decisioning case |
| POST /decisions/{id}/refresh | 1 req/s | Re-runs the model; costly |
| POST /payments/links | 10 req/s | Provisions a PISP payment |
| POST /identity/checks | 5 req/s | Calls the KYC/AML provider |
Read the RateLimit-Limit, RateLimit-Remaining and RateLimit-Reset headers on every response and slow down before you hit the wall — see handling rate limits.
Frequently asked questions
Are RateLimit-* headers on failures too?
Yes. Every response — success or failure, including the 429 itself — carries the current bucket state in RateLimit-Limit, RateLimit-Remaining and RateLimit-Reset. Read them instead of guessing so you can slow down before being throttled.
If I run several integrations from one project, do they share a limit?
Yes. The bucket is per project, so co-located integrations share it. Provision a separate project per workload when you need isolated headroom.
Related reading

The partner API, at a glance
The /partner/v1 ring is the token-gated integration API — take applications, read decisions, provision…
Read →
Errors, status codes and safe retries
Errors come back as JSON with a stable machine code and a human message. 4xx means fix the request; 429/5xx…
Read →
Idempotency and safe retries
Send an Idempotency-Key on every mutating partner call. The server records the first result against the key…
Read →Funding for UK limited companies
Credicorp lends to your company, not to you personally — short-term working capital with no personal guarantee. See what your business could access.