Fortify · Rate Limits
Fortify Rate Limits
Fortify on Demand exposes a REST API at api.emea.fortify.com / api.ams.fortify.com / api.apac.fortify.com with OAuth2 client credentials. OpenText does not publish numeric per-second rate limits in the public docs; throttles are per-tenant and oriented around long-running scan submission and result-retrieval operations. Self-managed Fortify SSC has no platform-imposed API limit.
2 Limits
Throttle: 429
Application SecurityDASTSASTSCARate Limiting
Limits
Fortify on Demand REST API per-tenant throttle tenant/api-key
per-tenant; not publicly published
Fortify SSC self-hosted deployment
operator-configured; no platform default
Policies
Async Scan Submission
Static, dynamic, and mobile scan submissions return a scan ID immediately and run asynchronously. Poll the scan-status endpoint with backoff rather than re-submitting.
Backoff Strategy
Clients should implement exponential backoff with jitter on 429/5xx and honor Retry-After.
Token Lifetime
OAuth2 access tokens have limited lifetime; refresh ahead of expiry rather than retrying after 401.
Region Routing
Use the region-specific FoD endpoint (EMEA, AMS, APAC) matching the tenant; cross-region calls are not supported.