Skip to main content

API rate limiting

To ensure optimal performance and availability of Veracode services to all users, Veracode reserves the right to limit API requests.

API rate limits

Veracode rate limits, or throttles, API requests from any Veracode account that exceeds the allowed limits. After reaching the request limit, any API requests to Veracode return HTTP status code 429. The header information in the HTTP response indicates the number of seconds to wait before resending the request.

API callsAllowed limit
Flaw Report and Results XML APIs:
  • detailedreport.do
  • summaryreport.do
  • generateflawreport.do
  • downloadflawreport.do
  • detailedreportpdf.do
  • summaryreportpdf.do
  • thirdpartyreportpdf.do
  • sharedreport.do
  • sharedreportpdf.do
  • getsharedreportinfo.do
  • getsharedreportlist.do
80 calls/minute per IP address
All other XML APIs250 calls/minute per IP address
All REST APIs500 calls/minute per IP address

Resolve API rate limiting

If your automations appear to be experiencing rate limiting, you can review them for these issues or configuration settings in an attempt to remove the limiting and restore your API requests to normal performance:

  • Any bugs, for example, that might be causing the APIs to send unnecessary requests.
  • Any hard-coded API frequencies that you can reduce to ensure that they are under 250 API requests per minute.
  • Teams that are using the same API credentials for a large number of scans, such as running several scans with the same credentials in more than one development pipeline, and sending an excessive number of requests. Veracode recommends using separate API credentials for each project particularly for teams that need to run a high number of scans.
  • The interval value for the retry-after header is sufficient for your requests. Do not retry your requests until after this interval has expired.