Skip to main content
The Store API enforces rate limits to protect against abuse and ensure fair usage. Rate limits are applied per API key or per IP address depending on the endpoint.

Default Limits

EndpointLimitScopeWindow
All endpoints300 requestsPer API key1 minute
POST /auth/login5 requestsPer IP1 minute
POST /customers3 requestsPer IP1 minute
POST /auth/refresh10 requestsPer IP1 minute
The global rate limit is tracked by your publishable API key (X-Spree-Api-Key). If the key is not provided, the limit falls back to the client’s IP address. Authentication endpoints have stricter per-IP limits to prevent brute-force attacks.

Rate Limit Headers

Every Store API response includes headers that show your current rate limit usage:
HeaderDescription
X-RateLimit-LimitMaximum number of requests allowed per window
X-RateLimit-RemainingNumber of requests remaining in the current window
Retry-AfterSeconds to wait before retrying (only present when limit is reached)
Example response headers:

Rate Limit Response

When you exceed the rate limit, the API returns a 429 Too Many Requests response:
The response includes rate limit headers and a Retry-After header indicating how many seconds to wait before retrying:

SDK Retry Handling

The Spree SDK automatically handles rate-limited responses with built-in retry logic and exponential backoff:
The SDK respects the Retry-After header and only retries on 429 status codes for non-GET requests. For GET/HEAD requests, it also retries on 500, 502, 503, and 504 errors.

Configuring Rate Limits

If you’re self-hosting Spree, you can adjust rate limits in your initializer:
Rate limiting uses Rails.cache as the backing store. For production environments with multiple application servers, ensure you’re using a shared cache store like Redis: