To ensure optimal performance and availability of Veracode services to all users, Veracode reserves the right to limit API requests.
API rate limits
Veracode rate limits, or throttles, API requests from any Veracode account that exceeds the allowed limits. After reaching the request limit, any API requests to Veracode return HTTP status code
429. The header information in the HTTP response indicates the number of seconds to wait before resending the request.
|API calls||Allowed limit|
|Flaw Report and Results XML APIs:||80 calls/minute per IP address|
|All other XML APIs||250 calls/minute per IP address|
|All REST APIs||500 calls/minute per IP address|
Resolve API rate limiting
If your automations appear to be experiencing rate limiting, you can review them for these issues or configuration settings in an attempt to remove the limiting and restore your API requests to normal performance:
- Any bugs, for example, that might be causing the APIs to send unnecessary requests.
- Any hard-coded API frequencies that you can reduce to ensure that they are under 250 API requests per minute.
- Teams that are using the same API credentials for a large number of scans, such as running several scans with the same credentials in more than one development pipeline, and sending an excessive number of requests. Veracode recommends using separate API credentials for each project particularly for teams that need to run a high number of scans.
- The interval value for the
retry-afterheader is sufficient for your requests. Do not retry your requests until after this interval has expired.