Skip to content
/
Rate Limiting
Last updated

Rate Limiting

To ensure stability, performance, and fair usage, the Bermuda Commercial Bank RESTful Open Banking API enforces rate limiting. This prevents abuse and guarantees a consistent experience for all users.

🚦 What is Rate Limiting?

Rate limiting restricts the number of API requests a user or IP address can make within a specific time frame. Once the limit is reached, further requests are temporarily blocked.

🧭 Strategy: Fixed Window

The API uses a fixed window rate limiting approach. This means requests are counted within a defined time window, and once the limit is hit, no further requests are allowed until the window resets.

πŸ”§ Current Configuration

  • Time Window: 60 minutes
  • Request Limit: 300 requests per user or IP address

πŸ“Œ Example: If a user sends 300 requests within an hour, any additional requests during that hour will be blocked until the next 60-minute window begins.

Virtual Accounts Specific Rate Limiting

  • Scope: Endpoints whose path contains virtual-accounts (e.g., POST …/virtual-accounts for account creation).
  • Pacing rule: Global limit of 1 request every 2 seconds for virtual account creation across all clients.
  • Handling: Exceeding the pacing returns 429 Too Many Requests (may include Retry-After). Space requests β‰₯2s and back off on 429.
  • Note: This VA-specific pacing is in addition to the global fixed-window limit above.

⚠️ When the Limit is Exceeded

If the rate limit is exceeded, the API returns a 429 Too Many Requests response, including a timestamp indicating when you can retry.

πŸ“‰ Example Response

{
  "error": "Rate limit exceeded",
  "message": "You have exceeded the 300 requests per 60 minutes limit. Please wait for the rate limit to reset.",
  "retry_after": "2023-12-31T23:59:59Z"
}

βœ… Best Practices for Developers

  1. Track Usage
    Monitor your request count and avoid exceeding the limit.

  2. Graceful Handling
    Implement logic to catch 429 responses and back off appropriately.

  3. Use retry_after
    Honor the retry_after timestamp before retrying requests.

  4. Optimize API Calls
    Cache responses where possible and avoid redundant requests.

  5. Distribute Requests
    Spread requests over time rather than sending them in bursts.

πŸ”§ Do You Need to Configure Anything?

No manual configuration is neededβ€”rate limiting is handled by the API infrastructure. However, understanding these limits is essential for building efficient, user-friendly applications.

πŸ’¬ Need Help?

If you have questions or require additional support, please consult the full API documentation or contact our support team at πŸ“§ api@bcb.bm.

Previous page
Next page