API Status and Limits
Current platform limits, headers to send and observe, environment differences, and how to stay within SLOs during peaks.
Rate Limits
Limits are enforced per project and environment. Use Retry-After and the X-RateLimit headers to stay within budget and smooth load during assessments.
Production
Throughput
600 requests/min per project
Burst
120 requests in a 10-second window
Enterprise plans can request custom ceilings and dedicated lanes for exam windows.
Sandbox
Throughput
120 requests/min per project
Burst
40 requests in a 10-second window
For integration and QA. Same endpoints and headers, isolated data plane.
Elevated
Throughput
Contact us
Burst
SLO-backed dedicated capacity
For proctoring peaks or migration cutovers. Reach out with load profiles and timelines.
Environments
- Sandbox: Auth, payloads, and headers match production. Data is isolated. Lower limits to protect shared tenants.
- Production: Higher SLOs, monitored for latency and error budgets. Observability headers are identical.
- Cutover: For migrations, coordinate dual writes and backfills with an agreed maintenance window.
Retries and Backoff
- 429 or 503: Honor Retry-After. Use exponential backoff with jitter.
- Idempotency: Send Idempotency-Key on POST/PUT/PATCH to make retries safe.
- Timeouts: Default client timeout of 30 seconds recommended; avoid hammering on transient errors.
Headers to Send
Authorization
Bearer <token>
Content-Type
application/json
Idempotency-Key
Required for POST/PUT/PATCH that create or mutate resources.
User-Agent
App name and version for diagnostics.
Headers to Watch
X-RateLimit-Limit
Ceiling for the current window.
X-RateLimit-Remaining
Calls left in the current window.
X-RateLimit-Reset
Unix epoch seconds when the window resets.
Retry-After
Seconds until it is safe to retry after 429 or 503.
X-Request-Id
Trace token to include in support tickets and logs.
Error Codes
400 — Bad Request
Validation failed. Fix the payload shape or required fields.
401 — Unauthorized
Missing or invalid credentials. Check Authorization header and token scope.
403 — Forbidden
Credential valid but lacks permission. Confirm role or resource scoping.
404 — Not Found
Resource not present or not accessible in this environment.
409 — Conflict
Idempotency replay or conflicting state. Retry with a new idempotency key if appropriate.
422 — Unprocessable Entity
Semantics are invalid. Correct business rules before retrying.
429 — Rate Limited
Too many requests. Respect Retry-After and backoff with jitter.
500 — Internal Error
Unexpected fault. Safe to retry with exponential backoff and idempotency.
503 — Unavailable
Transient capacity or dependency issue. Retry after the Retry-After window.
Payload Guidance
- Size: Keep bodies under 1 MB. Use pagination or chunking for larger datasets.
- Pagination: Use limit and cursor parameters when available to avoid heavy scans.
- Idempotency: One unique Idempotency-Key per logical operation; reuse to replay safely after errors.
Operational Tips
- Observability: Log X-Request-Id and X-RateLimit headers for support investigations.
- Clock Skew: Sync to NTP to honor Retry-After and Reset correctly.
- Rollouts: Ramp traffic gradually; avoid sudden spikes at minute boundaries.