Rate limiting
Slothbox rate limits API requests per caller so that one client — or a leaked API key — can't exhaust shared resources. The limits are generous for normal use; you'll typically only hit them with tight loops or runaway scripts.
When you exceed a limit the API responds with 429 Too Many Requests and a
Retry-After header telling you how many seconds to wait:
HTTP/1.1 429 Too Many Requests
Retry-After: 12
Content-Type: application/json
{ "error": { "message": "Rate limit exceeded. Please retry later." } }
The body uses the same error envelope as every other response.
Handling a 429
Respect the Retry-After header: wait that many seconds, then retry. A simple
backoff is enough — there's no need to hammer the endpoint. (The
TypeScript SDK surfaces the header as
RateLimitError.retryAfter and its retry middleware honours it for you.)
async function withRetry(send: () => Promise<Response>): Promise<Response> {
for (;;) {
const res = await send();
if (res.status !== 429) return res;
const wait = Number(res.headers.get("Retry-After") ?? 1);
await new Promise((r) => setTimeout(r, wait * 1000));
}
}
How callers are identified
Limits are tracked per caller:
- Per API key — each
sk_…key has its own budget, so a runaway key never eats into your signed-in dashboard session (and vice versa). - Per user — requests made with your signed-in session are counted per user.
- Per organization — the most expensive operations (below) are also counted per organization, so an org's members share one budget for those.
Limits
Most endpoints share a generous default budget. A handful of expensive operations have tighter, organization-wide limits:
| Operation | Limit |
|---|---|
| Most endpoints | 120 / minute |
| AWS connection checks, secret reads/writes, box start/stop/delete | 20 / minute per org |
| Launching boxes & baking templates | 10 / minute (and 60 / hour) |
| Sending invites | 10 / minute (and 50 / day) |
| Billing changes | 20 / minute per org |
| GitHub-backed calls (list repos, inspect, SSH key) | 30 / minute |
| Unauthenticated token / OAuth-callback routes | 10 / minute per IP |
Limits may change as the service evolves — always read Retry-After rather than
hard-coding a delay.
Bursts
There's also a coarse per-second ceiling on the API as a whole to absorb traffic
spikes. If you send a sudden burst far above normal you may see a 429 from the
gateway with a short Retry-After; spreading your requests out resolves it.