Codat · Rate Limits

Codat Rate Limits

Codat enforces a daily request quota that scales with the number of Active Connected Companies (ACCs) plus a per-ACC concurrency cap. A separate IP-based DoS protection rejects more than 1,000 requests per minute from a single IP. All rate-limit responses use HTTP 429 with a Retry-After header. Live counters are exposed via X-Rate-Limit-Limit / X-Rate-Limit-Remaining / X-Rate-Limit-Reset response headers and webhook events fire when limits are reached or reset.

3 Limits Throttle: 429 Quota: 429

Unified APIAccountingBankingRate Limiting

Limits

Daily request quota account

requests_per_day · day

1000 + 1000 per Active Connected Company

Formula is `1,000 x (1 + number of ACCs)`. Resets daily at 00:00 UTC. Example, 100 ACCs = 101,000 requests/day.

Per-ACC concurrency account

concurrent_requests

Maximum of 10 concurrent in-flight requests per Active Connected Company.

IP-based DoS protection IP

requests_per_minute · minute

1000

Hard ceiling on requests originating from any single IP address. Sustained traffic above this ceiling may be blocked without warning.

Policies

Retry-After

429 responses include a Retry-After header advising when the limit window will reset. Honor this value before retrying.

Daily reset

Quotas reset daily at 00:00 UTC.

Webhook signaling

Codat fires `client.rateLimit.reached` and `client.rateLimit.reset` webhook events so consumers can react programmatically.

Scaling with ACCs

Adding new Active Connected Companies linearly increases the daily request quota; right-size ACC lifecycle to avoid orphan companies that consume quota.

Backoff strategy

On 429, back off using the Retry-After value with jitter; do not retry tighter than the indicated reset window.

Sources

https://docs.codat.io/using-the-api/rate-limits