National Institute of Standards and Technology (NIST) · Rate Limits
Nist Rate Limits
NIST publishes explicit rate limits for the National Vulnerability Database (NVD) API. Anonymous callers get 5 requests per 30-second rolling window; callers with a free API key get 50 requests per 30-second rolling window. Other NIST APIs (NIST Chemistry WebBook, Internet Time Service) do not document per-key limits but are subject to firewall-level DOS protection. NIST recommends a 6-second sleep between requests to stay within compliance.
3 Limits
Throttle: 403
Rate LimitingCybersecurityGovernmentPublic Data
Limits
NVD API — Anonymous IP
5
30-second rolling window. Recommended 6-second sleep between requests.
NVD API — API Key api_key
50
30-second rolling window. 10x increase over anonymous.
Other NIST APIs (Chemistry WebBook, Time Service, etc.) IP
see firewall fair-use policy
No published per-key RPS; firewall enforces DOS protection.
Policies
6-second sleep recommendation
NIST recommends sleeping ~6 seconds between requests so legitimate requests are not blocked by firewall DOS protection.
Free API key registration
API keys are free and obtained via the NVD developer portal — request, accept Terms of Use, and activate via email link.
Firewall-level enforcement
NIST firewall rules apply at the perimeter; 403 responses indicate firewall throttling rather than application-level 429.
Spread queries
For full NVD ingest, paginate with resultsPerPage=2000 and use lastModStartDate / lastModEndDate windowed sync rather than re-querying the full dataset.