Skip to main content
Dock rate limits requests to keep the API stable and fair for every integration.
Never use extra accounts, extra API keys, bots, proxies, rotating IPs, or automation patterns to bypass limits. Bypass attempts may lead to limited, suspended, or revoked keys.

Plan limits

PlanAPI keysPremium keysDaily requestsPacing
Premium10102,5001 request per second
Staff-issued support keys and approved partner overrides may have custom limits. The response headers are the source of truth for your active quota.

Headers

Dock sends standard rate-limit headers on authenticated API requests.
X-RateLimit-Limit
number
Current short-window pacing limit.
X-RateLimit-Remaining
number
Remaining requests in the short-window bucket.
X-RateLimit-Reset
unix timestamp
Time when the short-window bucket resets.
X-RateLimit-Limit-Day
number
Daily request limit for the authenticated key.
X-RateLimit-Remaining-Day
number
Remaining requests in the daily bucket.
Retry-After
seconds
Present on 429 responses. Wait at least this many seconds before retrying.

Verification-session limits

Verification sessions have extra guardrails because clients often poll for completion.
LimitValue
Session lifetime5 minutes
Create-session burst6 sessions
Create-session refill1 session every 10 seconds
Minimum poll interval2 seconds
Long-poll wait max25 seconds
SSE stream max30 seconds
Premium poll limit150 polls per session
Prefer GET /api/v1/verify/session/:sid?wait=25 or GET /api/v1/verify/session/:sid/stream instead of polling in tight loops.

Handling 429 responses

async function requestWithBackoff(url, options, attempts = 5) {
  for (let attempt = 0; attempt < attempts; attempt += 1) {
    const response = await fetch(url, options);

    if (response.status !== 429) {
      return response;
    }

    const retryAfter = Number(response.headers.get("Retry-After") || 1);
    await new Promise((resolve) => setTimeout(resolve, retryAfter * 1000));
  }

  throw new Error("Rate limited after maximum retries.");
}

Acceptable use

Do not:
  • Use multiple keys, accounts, bots, proxies, or rotating IPs to avoid limits.
  • Scrape, automate, or repeatedly call endpoints in a way intended to bypass quotas or access controls.
  • Continue retrying aggressively after 429 responses.
  • Share API keys with untrusted parties.
  • Disrupt, overload, reverse engineer, resell, or sublicense Dock services.
For the full policy, read the Terms of Service and Privacy Policy.