All authenticated requests are limited using the client's token. If a token is not provided in any API request, this is deemed as aunauthenticated and our ratelimiting falls back to using the client's IP address.
While there is some tolerance between accidentally calling ratelimited routes and API abuse, application developers should strive to respect these limits through the use of application logic and headers providing ratelimiting information returned by our API.
Multiple and repeated instances of calling ratelimited routes may lead to one or more of the following:
- A longer cool-down period
- Revocation of the API token
- IP blacklisting
Ratelimiting is not yet implemeted on API v2. This is an overview of the planned implementation.