About API Rate Limiting

Veracode APIs

To ensure optimal performance and availability of Veracode services to all users, Veracode reserves the right to limit API requests.

Veracode rate limits, or throttles, API requests from any Veracode account that exceeds the allowed limit of 500 API requests within a 120-second period. After reaching the request limit, any API requests to Veracode return HTTP status code 429. The header information in the HTTP response indicates the number of seconds to wait before resending the request.

If your automations appear to be experiencing rate limiting, you can review them for these issues or configuration settings in an attempt to remove the limiting and restore your API requests to normal performance:

  • Any bugs, for example, that might be causing the APIs to send unnecessary requests.
  • Any hard-coded API frequencies that you can reduce to ensure that they are under 250 API requests per minute.
  • Teams that are using the same API credentials for a large number of scans, such as running several scans with the same credentials in more than one development pipeline, and sending an excessive number of requests. Veracode recommends using separate API credentials for each project particularly for teams that need to run a high number of scans.
  • The interval value for the retry-after header is sufficient for your requests. Do not retry your requests until after this interval has expired.