Rate limiting
The Winningtemp API enforces per-route rate limits to ensure fair usage and protect service availability. Limits are applied per
client and may vary between endpoints.
Client Identification
Rate limits are tracked per client using the sub claim from your JWT token. Each unique token subject gets its own rate limit
window. For the /auth endpoint (which does not require a bearer token), your source IP address is used instead.
Response Headers
Every response from a rate-limited endpoint includes these headers:
| Header | Description | Example |
|---|---|---|
X-RateLimit-Limit | Maximum number of requests allowed in the current window | 20 |
X-RateLimit-Remaining | Requests remaining in the current window | 17 |
X-RateLimit-Reset | UTC timestamp when the current window resets | 2026-02-27T10:48:31.9817984Z |
When You Exceed the Limit
When your remaining count reaches zero, subsequent requests return HTTP 429 Too Many Requests until the window resets. The
X-RateLimit-Reset header tells you exactly when you can resume making requests.
Recommendations
- Monitor the
X-RateLimit-Remainingheader and throttle your requests as it approaches zero. - Use the
X-RateLimit-Resettimestamp to schedule retries — do not retry in a tight loop. - Rate limits can differ between endpoints. Always read the headers from each response rather than assuming a fixed limit across the
API.