Platform Limits

Default Rate Limits

The Basis Theory API has rate limits applied to ensure the speed and consistency of our systems. Rate Limits will always apply to the lowest Rate available for a given request. For example, if a request is made to POST /tokens with on a Test Tenant the rate limit for that request is 50 Requests / 10 Seconds.

Tenant Type Rate Limits

Test Tenant

Method	Resource	Counter	Rate	Action
ANY	ANY	IP and API Key	50 req / 10 s	Throttle

API Resource Rate Limits

Resource	Counter	Rate	Action
POST /tokens/search	API Key AND IP	50 req / 10 s	Throttle
GET /tokens OR POST /detokenize	API Key AND IP	100 req / 10 s	Throttle
POST /tokens OR /tokenize	API Key AND IP	200 req / 10 s	Throttle
PATCH /tokens/{id}	API Key AND IP	200 req / 10 s	Throttle
DELETE /tokens/{id}	API Key AND IP	200 req / 10 s	Throttle
ANY /account-updater/*	API Key AND IP	10 req / 10 s	Throttle
POST /documents	API Key AND IP	10 req / 1 min	Throttle
GET /documents/{id}/data	API Key AND IP	10 req / 1 min	Throttle

Application Type Rate Limits

Private Application

Resource	Counter	Rate	Action
ANY	API Key OR IP	2000 req / 10 s	Throttle

Public Application

Resource	Counter	Rate	Action
ANY	IP and API Key	50 req / 1 min	10s Block

Management Application

Resource	Counter	Rate	Action
ANY	API Key	200 req / 1 min	60s Block

Proxies

Unauthenticated / Whitelabel Proxies

Resource	Counter	Rate	Action
ANY	Proxy Key AND IP	50 req / 10 s	Throttle
ANY	Custom Hostname AND IP	50 req / 10 s	Throttle

Additional Limits for Proxy Requests

Limit Type	Value	Behavior
Destination Timeout	25 seconds	Returns 408 if exceeded

IPs

IP-Based Global Rate Limit

Resource	Counter	Rate	Action
ANY	IP	2000 req / 10 s	30s Block

Legacy Rate Limits

Legacy API Keys

This only applies to keys without _prod_ or _test_ in the key or are denoted by a Legacy badge on your API Key in an Application on the Portal.

Method	Resource	Counter	Rate	Action
ANY	ANY	IP and API Key	100 req / 1 m	Throttle

Error Codes

Status Code	Meaning
`429`	Request has been rate limited

Other Limits

Default Quotas

Quotas are Tenant specific limits that can be adjusted by Basis Theory. Below are some of the default Quota's applied to all tenants as they are created - to find the full list of Quota' or to request a change, please visit your tenant's Quota page.

Quota Name	Limit
Rate Limit	Default
Log Retention	24 hours
Tokenize Limit	5 tokens
Detokenize Limit	5 tokens
CVC Retention	1 hour
Token Intent Retention	24 hours

Code Execution

Applicable to Reactors and Proxy Transforms.

Metric	Limit	Note
Maximum code length	50K characters	Please reach out if your use case requires more characters.
Payload Size	1 MB	Please reach out if your use case requires larger payloads.
Hot concurrency	1	This will fan out and cold start additional Reactors if multiple requests happen concurrently. Please reach out if you need additional hot concurrency
Synchronous Timeout	30 seconds	Synchronous Reactor Invoke and Pre-configured Proxy Invoke code executions will timeout after 30s.
Asynchronous Timeout	300 seconds	Asynchronous Reactor Invoke code executions will timeout after 300s.

Account Updater

The maximum supported Batch Account Updater request file size is 30 MB per file (approx. 300k tokens).

If you need to update more than 300k tokens at a time, you can split your request into multiple files and create multiple jobs in parallel.

Default Rate Limits​

Tenant Type Rate Limits​

Test Tenant​

API Resource Rate Limits​

Application Type Rate Limits​

Private Application​

Public Application​

Management Application​

Proxies​

Unauthenticated / Whitelabel Proxies​

Additional Limits for Proxy Requests​

IPs​

IP-Based Global Rate Limit​

Legacy Rate Limits​

Legacy API Keys​

Error Codes​

Other Limits​

Default Quotas​

Code Execution​

Account Updater​