Getting Started > Rate Limits

Rate Limits

Last Updated: 2026-06-26

The MallPlus Open Platform meters every app's request volume to keep the API fair and stable. Limits are enforced per app, returned on every response, and queryable in real time so you can back off before you are throttled.

Defaults

All endpoints and methods share a single per-minute budget — reads and writes are not metered separately.

TierLimit
Standard (all apps)600 requests / minute / app
EnterpriseNegotiated per-app override

How limits are counted

  • Authenticated /open/v1/* requests are counted per app, keyed off your verified credentials.
  • Unauthenticated endpoints (such as the OAuth /open/v1/auth/* surface) are counted per source IP.
  • The window is a fixed 60 seconds. The counter resets when the window expires — it does not slide forward on each request. X-RateLimit-Reset tells you exactly when the current window resets.
  • An Enterprise per-app override, when configured, replaces the default limit for that app.

Response headers

Every authenticated response includes your current budget:

X-RateLimit-Limit: 600
X-RateLimit-Remaining: 547
X-RateLimit-Reset: 1716277260

X-RateLimit-Reset is a Unix epoch second at which the current window resets and X-RateLimit-Remaining returns to the full limit.

When you exceed the limit

Once you cross the limit the API responds with 429 RATE_LIMITED and a Retry-After header (seconds to wait). Wait at least that long before retrying.

{
  "success": false,
  "error": {
    "code": "RATE_LIMITED",
    "message": "Too many requests",
    "details": { "retryAfterSeconds": 12 }
  }
}

Repeating the request immediately on a 429 will just trip the limit again and amplify load — use exponential backoff instead.

Real-time usage meter

GET https://sandbox.open.mallplus.ph/open/v1/usage returns your current consumption, scoped to the calling app:

{
  "success": true,
  "data": {
    "summary": { "successRate": 99.6, "successCalls": 14760, "failCalls": 69, "totalCalls": 14829 },
    "endpoints": [
      { "endpoint": "GET /open/v1/orders", "totalCalls": 8021, "successCalls": 8001, "failCalls": 20, "successRate": 99.75 }
    ],
    "quota": {
      "window": "per_minute",
      "limit": 600,
      "used": 53,
      "remaining": 547,
      "resetAt": 1716277260
    }
  }
}

Pass ?from= and ?to= (ISO-8601, clamped to 90 days) to scope the call statistics, or ?endpoint= to filter to one path. Use the live quota block to drive a dashboard or circuit breaker.

Body size limits

Request bodies on /open/v1/* are capped at 1 MB. Exceeding the cap returns 413 PAYLOAD_TOO_LARGE. Use the bulk endpoints (for example POST /open/v1/products/bulk) to batch large workloads within the cap.

Backoff best practices

  • On a 429, honour Retry-After and retry with exponential backoff plus jitter.
  • Throttle pre-emptively when X-RateLimit-Remaining (or quota.remaining) drops below 10% of your limit.
  • Spread bulk back-fills across windows rather than bursting at the top of every minute.

Need a higher limit?

Enterprise apps can have a per-app limit configured. Raise a request from the console via Raise Ticket or email partners@mallplus.ph with:

  • Your clientId
  • Expected peak requests per second
  • Use case (back-fill, real-time sync, etc.)