HTTP 429 Too Many Requests — Rate Limiting, Retry-After & Fix
The client has sent too many requests in a given amount of time (rate limiting). The response should include a Retry-After header indicating how long to wait before making a new request.
When to Return 429
Return 429 when a client exceeds your rate limit. Always include Retry-After (seconds until reset) and optionally X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-Reset headers.
Common Causes
- API rate limit exceeded (requests per minute/hour)
- Too many login attempts (brute force protection)
- Excessive webhook retries
- Scraper hitting too frequently
HTTP Response Example
HTTP/1.1 429 Too Many Requests
Retry-After: 60
X-RateLimit-Limit: 100
X-RateLimit-Remaining: 0
X-RateLimit-Reset: 1700000060
{"error": "Too Many Requests", "retryAfter": 60}Code Examples
Express.js
import rateLimit from 'express-rate-limit'
const limiter = rateLimit({
windowMs: 60_000, // 1 minute
max: 100,
standardHeaders: true, // X-RateLimit-* headers
legacyHeaders: false,
handler: (req, res) => {
res.status(429).json({
error: 'Too Many Requests',
message: 'Rate limit exceeded. Try again in 60 seconds.',
retryAfter: 60,
})
},
})
app.use('/api', limiter)Next.js App Router
// middleware.ts — using Upstash Rate Limit (edge-compatible)
import { Ratelimit } from '@upstash/ratelimit'
import { Redis } from '@upstash/redis'
const ratelimit = new Ratelimit({
redis: Redis.fromEnv(),
limiter: Ratelimit.slidingWindow(100, '1 m'),
})
export async function middleware(request: NextRequest) {
const { success, reset } = await ratelimit.limit(request.ip ?? 'anon')
if (!success) {
return new NextResponse(
JSON.stringify({ error: 'Too Many Requests' }),
{ status: 429, headers: { 'Retry-After': String(Math.ceil((reset - Date.now()) / 1000)) } }
)
}
}Related Status Codes
Frequently Asked Questions
What does HTTP 429 Too Many Requests mean?
The client has sent too many requests in a given amount of time (rate limiting). The response should include a Retry-After header indicating how long to wait before making a new request.
When should an API return 429?
Return 429 when a client exceeds your rate limit. Always include Retry-After (seconds until reset) and optionally X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-Reset headers.
What causes an HTTP 429 error?
Common causes: API rate limit exceeded (requests per minute/hour); Too many login attempts (brute force protection); Excessive webhook retries; Scraper hitting too frequently.
