Rate limiting
Rate limits and enumeration prevention
Our system does not apply any rate limits for server-to-server API calls. Instead, we aim to grow your system with you to handle the throughput needs of your business.
That said, we do apply certain rate limits on browser/app-to-server API calls in order to prevent enumeration attacks, preventing a malicious party from enumerating credit, debit, or scheme cards to check their validity.
Enumeration prevention
In order to prevent enumeration attacks, the following limits are applied.
| Token & Endpoints | Limit |
|---|---|
| 带 embed scope 的 JWT token 用于如下接口: | 该限制用于防止前端集成时遍历卡号/礼品卡号,服务器到服务器调用不受影响。 |
| 用于如下接口: | 该限制用于 Secure Fields 存储卡信息,防止滥用 session ID。 |
Rate limit
The current rate limit for these endpoints is set to approximately 50 requests per minute across all endpoints, per token. This value may be adjusted downward in time to adjust for enumeration attacks.
We recommend generating a new checkout session ID or JWT token for every checkout, to prevent a user from being rate-limited.