HMRC UK Tax Authority · Rate Limits
Hmrc Rate Limits
HMRC's Developer Hub publishes a single, platform-wide per-application throttle of 3 requests per second, scoped to each registered application. Above that ceiling clients receive HTTP 429 with the HMRC error code MESSAGE_THROTTLED_OUT. Maintenance and capacity events surface as 503 (SERVER_ERROR or SCHEDULED_MAINTENANCE) and 504 (GATEWAY_TIMEOUT). Applications that legitimately need a higher rate must contact the HMRC Software Developer Support Team to discuss design and have the limit raised. There is no sandbox-specific number documented separately; sandbox is intended for functional testing rather than load testing.
3 Limits
Throttle: 429
GovernmentMaking Tax DigitalRegulatoryTaxUKRate LimitingThrottling
Limits
Default per-application throttle (production) application
3
Steady-state ceiling. Returns HTTP 429 with code MESSAGE_THROTTLED_OUT when exceeded. HMRC explicitly favors real-time interactions over batching.
Raised limit (per agreement) application
negotiated; contact HMRC Software Developer Support Team
Applications that consistently hit the 3 RPS ceiling can request an uplift after a design review with HMRC.
Sandbox throttle application
sandbox not load-tested; same per-application throttle policy applies
Sandbox is for functional testing only. HMRC does not publish a separate numeric throttle.
Policies
Backoff Strategy
HMRC instructs clients to stop making additional API requests for a short period after receiving 429 / MESSAGE_THROTTLED_OUT, then retry. Implement exponential backoff with jitter.
Limit Uplift via Support
Rate limits are raised on a per-application basis only after HMRC's Software Developer Support Team reviews the application's design and the business case for higher throughput.
Real-Time Bias
HMRC explicitly designs the rate limit to discourage batching; vendors are expected to submit traffic in real-time as users perform actions.
Maintenance Windows
Scheduled-maintenance traffic returns HTTP 503 with SCHEDULED_MAINTENANCE; clients should retry after the published downtime window.
Fraud Prevention Headers
HMRC requires fraud-prevention headers (Gov-Client-*) on every request. Missing or invalid headers can result in 403 errors independent of rate limiting.