Rate-Limit Policy
Reference of published limits and recommended behavior on the partner side.
Endpoints with explicit limits
| Endpoint | Limit | Window | Limitation key | Response 429 |
|---|---|---|---|---|
GET /api/w/verify-status/:requestId?pt=... | 30 requests | 60s | request_id | RATE_LIMITED + Retry-After: 60 |
POST /api/partner/verify-request | 60 requests | 60s | Client IP | {"error":"Too many requests"} |
GET /api/partner/verify-status/:requestId | 60 requests | 60s | Client IP | {"error":"Too many requests"} |
POST /api/billing/session (pre-auth) | 30 requests | 60s | Client IP | {"error":"Too many requests"} |
POST /api/billing/session (post-auth) | 100 requests | 60s | Partner ID | {"error":"Too many requests"} |
Endpoints Partner API (api.zykay.com)
For POST /v1/exchange and POST /v1/introspect, there is no fixed public quota in this reference version.
To be on the safe side, your backend should:
- treat any
429response as transient - apply a bounded exponential backoff
- maintain caller side idempotence
Recommended retry strategy
- If header
Retry-Afterpresent, respect it as a priority - Otherwise, use exponential backoff with jitter (max 30s)
- Limit to 3 attempts before user failure
Example:
tentative 1: 1s (+ jitter)
tentative 2: 2s (+ jitter)
tentative 3: 4s (+ jitter)Best practices
- Do not poll faster than necessary (avoid an interval less than 1s on the client side).
- Immediately stop retries on
401/403/400errors (non-transient). - Log
X-ZK-CIDfor correlation support.