HashiCorp · Rate Limits
Hashicorp Rate Limits
HashiCorp publishes rate limits primarily for HCP Terraform. The platform enforces ~30 requests/second per authenticated user (or per IP for unauthenticated requests) across most endpoints, with stricter ceilings on sensitive endpoints (SMS/2FA at 5/min, email-sending at 10–100/min, certain account operations at 40/hour). Limits are scoped per user — multiple tokens cannot bypass the limit. Other HashiCorp products (Vault, Consul, Nomad, Boundary) enforce limits configured by the operator at deploy time.
5 Limits
Throttle: 429
Quota: 429
CloudDevOpsInfrastructurePlatformRate LimitingQuotasThrottling
Limits
HCP Terraform — Default API rate user-or-ip
30
Applies to most HCP Terraform API endpoints, authenticated by user or by source IP for unauthenticated requests.
HCP Terraform — SMS / 2FA endpoints user
5
HCP Terraform — Email-sending endpoints user
10–100
Per-endpoint variation; verify against the specific endpoint reference.
HCP Terraform — Account operations user
40
Vault / Consul / Nomad / Boundary — Operator-configured cluster
configured by operator (see product docs)
Policies
Per-User Scoping
HCP Terraform rate limits are bound to the authenticated user — multiple API tokens issued to the same user share the limit.
Backoff Strategy
On 429, clients should back off and retry with jitter. Retry-After is not universally documented; default to exponential backoff.
Sensitive Endpoint Throttling
SMS/2FA, email, and account-mutation endpoints have stricter per-minute / per-hour ceilings than the default 30 rps.
Self-Managed Configurability
For Vault, Consul, Nomad, and Boundary, request quotas and rate limits are configured by the cluster operator (e.g. Vault sys/quotas/rate-limit).