> ## Documentation Index
> Fetch the complete documentation index at: https://docs.ryzeapi.cloud/llms.txt
> Use this file to discover all available pages before exploring further.

# Rate limit & CORS

> Per-minute request limits and CORS rules for browser usage

## Rate limit

To keep the service stable, RyzeAPI applies a per-minute request limit. The limit is counted **per token**: everyone using the same token shares the same bucket.

| Request type                                 | Default limit               |
| -------------------------------------------- | --------------------------- |
| Most endpoints                               | **100 requests per minute** |
| Instance creation (`POST /api/instance/new`) | **20 requests per minute**  |

<Info>
  If you need a higher limit for your account, contact support.
</Info>

### Rate limit headers

**All responses** (including successful ones) include three headers that let your client adapt:

| Header                  | Meaning                                             |
| ----------------------- | --------------------------------------------------- |
| `X-RateLimit-Limit`     | Maximum limit in the current period (e.g., `100`)   |
| `X-RateLimit-Remaining` | How many requests are still available               |
| `X-RateLimit-Reset`     | Unix timestamp (seconds) of when the counter resets |

<Tip>
  Use `X-RateLimit-Remaining` to implement exponential backoff **before** hitting the limit. For example: when it goes below 10, wait a bit before the next call.
</Tip>

### What happens when you exceed it

The API responds with `HTTP 429 Too Many Requests`:

```json theme={null}
{
  "success": false,
  "error": {
    "message": "Rate limit exceeded. Try again later."
  }
}
```

The `X-RateLimit-*` headers continue to be sent, use `X-RateLimit-Reset` to know when you can try again.

### Handling example

```javascript theme={null}
async function callAPI(path, options = {}) {
  const res = await fetch(`https://ryzeapi.cloud${path}`, options);

  // If you exceeded the limit, wait until the reset
  if (res.status === 429) {
    const resetAt = parseInt(res.headers.get("X-RateLimit-Reset"), 10) * 1000;
    const waitMs = Math.max(1000, resetAt - Date.now());
    await new Promise(r => setTimeout(r, waitMs));
    return callAPI(path, options); // retry
  }

  // Preventive backoff: if close to the limit, slow down
  const remaining = parseInt(res.headers.get("X-RateLimit-Remaining"), 10);
  if (remaining < 10) {
    await new Promise(r => setTimeout(r, 500));
  }

  return res.json();
}
```

## CORS

If you are calling the API **from a browser** (JavaScript running on a web page), you need to be mindful of CORS.

### Allowed origins

RyzeAPI accepts requests only from the origins authorized for your account. Unauthorized origins receive the classic CORS error in the browser console:

```
Access to fetch at 'https://ryzeapi.cloud/...' from origin 'https://mysite.com'
has been blocked by CORS policy.
```

<Tip>
  If your frontend application needs to call RyzeAPI, ask support to add your origin (`https://mysite.com`) to your account's allowlist.
</Tip>

### Accepted methods and headers

The API responds to the preflight (`OPTIONS`) with the following headers:

```http theme={null}
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Headers: Content-Type, Authorization, token
Access-Control-Expose-Headers: Content-Length
```

You can send requests with any HTTP method used by the API and with the `Content-Type`, `Authorization`, or `token` headers.

### No cookies

RyzeAPI **does not use cookies** for authentication, the token goes in the `token` header. Therefore, it is not necessary (and not supported) to send `credentials: "include"` in `fetch` requests.

## WebSocket in browser

Since browser JavaScript does not allow customizing headers in `new WebSocket(...)`, the only way to authenticate is via the query string:

```javascript theme={null}
const ws = new WebSocket(
  `wss://ryzeapi.cloud/ws/$Instance_Name?token=${instanceToken}`
);
```

The WebSocket also follows your account's origin allowlist.

## Checklist

<Check>Implement backoff based on `X-RateLimit-Remaining` so you do not get blocked.</Check>
<Check>Handle `HTTP 429` by retrying after `X-RateLimit-Reset`.</Check>
<Check>If you use the browser, ask support to add your origin to the allowlist.</Check>
<Check>For WebSocket in the browser, pass the token via `?token=` in the URL.</Check>
