Rate Limits
Last Updated: 2026-06-26
The MallPlus Open Platform meters every app's request volume to keep the API fair and stable. Limits are enforced per app, returned on every response, and queryable in real time so you can back off before you are throttled.
Defaults
All endpoints and methods share a single per-minute budget — reads and writes are not metered separately.
| Tier | Limit |
|---|---|
| Standard (all apps) | 600 requests / minute / app |
| Enterprise | Negotiated per-app override |
How limits are counted
- Authenticated
/open/v1/*requests are counted per app, keyed off your verified credentials. - Unauthenticated endpoints (such as the OAuth
/open/v1/auth/*surface) are counted per source IP. - The window is a fixed 60 seconds. The counter resets when the window expires — it does not slide forward on each request.
X-RateLimit-Resettells you exactly when the current window resets. - An Enterprise per-app override, when configured, replaces the default limit for that app.
Response headers
Every authenticated response includes your current budget:
X-RateLimit-Limit: 600
X-RateLimit-Remaining: 547
X-RateLimit-Reset: 1716277260X-RateLimit-Reset is a Unix epoch second at which the current window resets and X-RateLimit-Remaining returns to the full limit.
When you exceed the limit
Once you cross the limit the API responds with 429 RATE_LIMITED and a Retry-After header (seconds to wait). Wait at least that long before retrying.
{
"success": false,
"error": {
"code": "RATE_LIMITED",
"message": "Too many requests",
"details": { "retryAfterSeconds": 12 }
}
} Repeating the request immediately on a 429 will just trip the limit again and amplify load — use exponential backoff instead.
Real-time usage meter
GET https://sandbox.open.mallplus.ph/open/v1/usage returns your current consumption, scoped to the calling app:
{
"success": true,
"data": {
"summary": { "successRate": 99.6, "successCalls": 14760, "failCalls": 69, "totalCalls": 14829 },
"endpoints": [
{ "endpoint": "GET /open/v1/orders", "totalCalls": 8021, "successCalls": 8001, "failCalls": 20, "successRate": 99.75 }
],
"quota": {
"window": "per_minute",
"limit": 600,
"used": 53,
"remaining": 547,
"resetAt": 1716277260
}
}
} Pass ?from= and ?to= (ISO-8601, clamped to 90 days) to scope the call statistics, or ?endpoint= to filter to one path. Use the live quota block to drive a dashboard or circuit breaker.
Body size limits
Request bodies on /open/v1/* are capped at 1 MB. Exceeding the cap returns 413 PAYLOAD_TOO_LARGE. Use the bulk endpoints (for example POST /open/v1/products/bulk) to batch large workloads within the cap.
Backoff best practices
- On a
429, honourRetry-Afterand retry with exponential backoff plus jitter. - Throttle pre-emptively when
X-RateLimit-Remaining(orquota.remaining) drops below 10% of your limit. - Spread bulk back-fills across windows rather than bursting at the top of every minute.
Need a higher limit?
Enterprise apps can have a per-app limit configured. Raise a request from the console via Raise Ticket or email partners@mallplus.ph with:
- Your
clientId - Expected peak requests per second
- Use case (back-fill, real-time sync, etc.)