HashiCorp Cloud Platform · Rate Limits

Hcp Rate Limits

HCP enforces API rate limits per authenticated user (or per IP for unauthenticated requests). The headline limit for HCP Terraform is ~30 requests/second across most endpoints. Sensitive endpoints have stricter ceilings — SMS/2FA at 5 requests/minute, email-sending at 10–100 requests/minute (per endpoint), and certain account operations at 40 requests/hour. Limits are scoped per user, so multiple tokens issued to the same user share the budget. Other HCP products (Vault, Consul, Boundary, Packer, Waypoint) inherit the HCP platform throttling layer.

4 Limits Throttle: 429 Quota: 429

CloudInfrastructureDevOpsSecrets ManagementService NetworkingRate LimitingQuotasThrottling

Limits

HCP Terraform — Default API rate user-or-ip

requests_per_second · second

Documented for HCP Terraform; other HCP products share the platform throttling layer.

SMS / 2FA endpoints user

requests_per_minute · minute

Email-sending endpoints user

requests_per_minute · minute

10–100

Specific endpoints fall in the 10–100/min band; verify per-endpoint.

Account operations user

requests_per_hour · hour

Policies

Per-User Scoping

Rate limits are scoped per authenticated user, not per token — multiple tokens issued to the same user share the limit budget.

Backoff Strategy

On HTTP 429 with the JSON-API error 'You have exceeded the API's rate limit', back off and retry with jitter; honor Retry-After when present.

Sensitive Endpoint Throttling

SMS/2FA, email, and account-mutation endpoints have tighter ceilings than the default 30 rps; design clients accordingly.

Unauthenticated Requests

Unauthenticated requests are bucketed by source IP rather than user.

Sources

https://developer.hashicorp.com/terraform/cloud-docs/api-docs