Rate Limits

Rate limits protect the service from abuse and ensure fair use. Unauthenticated users have stricter limits on public endpoints; authenticated users (JWT or API key) get higher limits. If you exceed a limit, the API returns 429 Too Many Requests with a message and optional retry guidance.

Auth (login, register, forgot-password, etc.): up to 10 attempts per 15 minutes per network (IP); sign-in is not counted against the general API quota. Postbox submissions, corrections, comments, and similar actions are limited per signed-in account (or per validated API key), not per shared IP. Anonymous browsing: up to 400 requests per 15 minutes on public feed/map/search endpoints (RATE_LIMIT_PUBLIC_MAX), and up to 300 per 15 minutes on other API routes (RATE_LIMIT_API_MAX); these caps do not stack on the same request. Bulk export-style endpoints (sitemap IDs, many postbox detail pages) have lower hourly caps for anonymous users to deter scraping. When you are logged in, limits apply to your account (default 600 API requests per 15 minutes; RATE_LIMIT_AUTH_MULTIPLIER). Invalid API keys do not receive the higher quota. Owner and admin accounts are not rate limited.

The site may show a message that you have been rate limited. Wait until the time window resets (e.g. try again later in the hour or after 15 minutes). For heavy use, use an API key so your requests count against the higher authenticated limit. Include the X-Request-ID response header when reporting issues to support.