Skip to main content

Platform Limits

These new rate limits will go into affect on July 16, 2024, read more about it in our blog Introducing New Rate Limits. Reach out to your account manager or contact us with any questions or concerns.

Default Rate Limits

The Basis Theory API has rate limits applied to ensure the speed and consistency of our systems. Rate Limits will always apply to the lowest Rate available for a given request. For example, if a request is made to POST /tokens with on a Test Tenant the rate limit for that request is 50 Requests / 10 Seconds.

Tenant Type Rate Limits

Test Tenant

ANYANYIP and API Key50 req / 10 sThrottle

API Resource Rate Limits

POST /tokens/searchIP50 req / 10 sThrottle
GET /tokensIP100 req / 10 sThrottle
POST /tokens OR /tokenizeIP200 req / 10 sThrottle
ANY /account-updater/*IP10 req / 10 sThrottle

Application Type Rate Limits

Private Application

ANYAPI Key OR IP2000 req / 10 sThrottle

Public Application

ANYIP and API Key50 req / 1 min10s Block

Management Application

ANYAPI Key200 req / 1 min60s Block


Unauthenticated / Whitelabel Proxies

ANYProxy Key AND IP50 req / 10 sThrottle
ANYCustom Hostname AND IP50 req / 10 sThrottle


IP-Based Global Rate Limit

ANYIP2000 req / 10 s30s Block

Legacy Rate Limits

Legacy API Keys

This only applies to keys without _prod_ or _test_ in the key or are denoted by a Legacy badge on your API Key in an Application on the Portal.

ANYANYIP and API Key100 req / 1 mThrottle

Error Codes

Status CodeMeaning
429Request has been rate limited

Other Limits

Default Quotas

Quotas are Tenant specific limits that can be adjusted by Basis Theory. Below are some of the default Quota's applied to all tenants as they are created - to find the full list of Quota' or to request a change, please visit your tenant's Quota page.

Quota NameLimit
Rate LimitDefault
Log Retention24 hours
Tokenize Limit5 tokens
Detokenize Limit5 tokens
CVC Retention1 hour


Applicable to invoking Reactors or invoking Pre-Configured Proxies with a Request or Response Transform.

Code lengthThe maximum code length accepted by a Reactor is 50K chars.
Payload SizeThe maximum payload size to invoke a Reactor is 1 MB. Please reach out if your use case requires more than that.
ConcurrencyThe default hot concurrency is set to 1 by default, this will fan out and cold start additional Reactors if multiple requests happen concurrently. If you need additional hot concurrency, please reach out.
Synchronous TimeoutSynchronous Reactor Invoke calls will timeout after 30s.