Rate Limits
REST and public WebSocket rate limit tiers
Diffusal enforces rate limits on REST and public WebSocket endpoints to protect the platform and ensure fair usage. Authenticated users receive higher limits on supported REST flows based on their tier.
Tier System
REST rate limits are tiered based on authentication status and trading volume.
| Tier | Criteria | Orders/min | Data/min |
|---|---|---|---|
| Unauthenticated | No session (IP-based) | — | 600 |
| Tier 1 | Authenticated trader | 600 | 300 |
| Tier 2 | ≥ $100k 30-day volume | 1,200 | 600 |
| Tier 3 | ≥ $1M 30-day volume | 2,400 | 1,000 |
Column definitions:
- Orders/min — Rate limit for trading and account mutation endpoints (
/api/mm/*,/api/portfolio/*,/api/strategies/*,/api/rfq/*) - Data/min — Rate limit for market data endpoints (
/api/markets/*)
REST Rate Limits
Public Market Data Endpoints
Public market-data endpoints use family-specific IP limits for unauthenticated users:
/api/markets/pairs,/api/markets/contracts,/api/markets/oracle/:pairId,/api/platform/metrics— 12,000 requests/min/api/markets,/api/markets/ticker/:symbol,/api/markets/tickers,/api/markets/orderbook/:symbol,/api/markets/trades/:symbol— 24,000 requests/min- Analytics endpoints such as
/api/markets/iv-history/:pairId,/api/markets/oi-by-strike/:pairId,/api/markets/vol-smile/:pairId,/api/markets/max-pain/:pairId— 16,000 requests/min - Any other public market-data path — 4,000 requests/min
To receive higher limits on public endpoints, authenticate with a SIWE session and include your bearer token. The server will resolve your tier and apply the corresponding Data/min limit instead.
Authenticated Endpoints
Endpoints requiring authentication (/api/mm/*, /api/portfolio/*, /api/strategies/*, /api/rfq/*, /api/account/*) use the Orders/min limit keyed by your wallet address.
Rate Limit Response Headers
Authenticated requests include rate limit headers in the response:
X-RateLimit-Limit: 600
X-RateLimit-Remaining: 595
X-RateLimit-Reset: 1709827200HTTP 429 Responses
When a rate limit is exceeded, the server returns:
HTTP/1.1 429 Too Many Requests
{
"code": "resource_exhausted",
"message": "rate limit exceeded"
}WebSocket Rate Limits
Current public WebSocket limits:
| Limit | Public value |
|---|---|
| Connections/min | 10 |
| Messages/min | 60 |
| Max subscriptions | 25 |
Connection Rate Limit
New public WebSocket connections are rate-limited per IP. If you exceed the connection limit, the connection is silently closed.
Message Rate Limit
Inbound messages on an active public WebSocket connection are rate-limited. If you exceed the message limit, the server responds with an error but keeps the connection open:
{
"error": {
"code": 4029,
"msg": "message rate limit exceeded"
},
"id": 0
}Your client can back off and resume sending messages after the window resets (60 seconds).
Subscription Limit
Each public WebSocket connection has a maximum number of concurrent subscriptions. Attempting to subscribe beyond the limit returns:
{
"error": {
"code": 4029,
"msg": "subscription limit exceeded (max 25)"
},
"id": 1
}The public docs route documents only the public websocket surface. Contributor-only realtime authentication and any non-public websocket tiers are intentionally omitted here.