How do I fix a 429 Too Many Requests error?

1. Read the Retry-After header and wait that long before retrying. 2. Add exponential backoff with jitter to your client. 3. Respect documented rate limits (check X-RateLimit-* headers). 4. Cache responses to reduce request volume. 5. Spread requests across time instead of bursting. 6. If legitimate traffic, request a higher rate limit or upgrade your plan.

How do I monitor for 429 errors?

UptimeSignal checks your endpoints on a schedule and flags non-2xx responses, including 429 Too Many Requests. This helps you catch when your API is rate limiting real users or when an upstream provider is throttling you, so you can adjust your request rate or upgrade limits before users are impacted.

429 Too Many Requests: What It Means and How to Fix It

Q: What does HTTP 429 Too Many Requests mean?

429 Too Many Requests is an HTTP status code that means the client has sent too many requests in a given period and has been rate limited by the server. The server is intentionally refusing to process the request right now to protect itself from overload or abuse. It usually includes a Retry-After header telling you how long to wait before trying again.

Q: What causes a 429 error?

Common causes: exceeding an API's rate limit (requests per second/minute/hour), a retry loop or runaway script hammering an endpoint, too many concurrent requests from one IP or API key, hitting a WAF or DDoS protection threshold, or shared rate limits when multiple services use the same key. Some servers also return 429 for login brute-force protection.

Q: What is the Retry-After header?

Retry-After is an HTTP response header sent with a 429 (or 503) telling the client how long to wait before making another request. It can be a number of seconds (Retry-After: 120) or an HTTP date. A well-behaved client should pause for at least that long before retrying instead of immediately hammering the endpoint again.

What It Means

HTTP 429 Too Many Requests means the client has sent too many requests in a given amount of time and the server is rate limiting it. The server is intentionally refusing to process the request right now — not because anything is broken, but to protect itself from overload or abuse. The response usually includes a Retry-After header telling you how long to wait.

HTTP/1.1 429 Too Many Requests
Retry-After: 60
X-RateLimit-Limit: 100
X-RateLimit-Remaining: 0
X-RateLimit-Reset: 1719500000

{"error": "rate_limit_exceeded", "message": "Too many requests"}

Common Causes

Exceeding an API rate limit: Too many requests per second, minute, or hour
Retry loops: A failing request retried in a tight loop without backoff
High concurrency: Too many parallel requests from one IP or API key
Shared API keys: Multiple services consuming the same rate budget
WAF / DDoS protection: Cloudflare or similar throttling suspected abuse
Brute-force protection: Repeated login attempts triggering a limit

How to Fix It

The right fix depends on whether you're the one being rate limited (client) or the one returning 429 (server).

If you're the client (calling an API)

// Respect Retry-After and use exponential backoff with jitter
async function fetchWithBackoff(url, opts, attempt = 0) {
  const res = await fetch(url, opts);
  if (res.status !== 429) return res;

  const retryAfter = Number(res.headers.get('Retry-After')) || 0;
  const backoff = retryAfter * 1000 || Math.min(2 ** attempt * 500, 30000);
  const jitter = Math.random() * 250;
  await new Promise(r => setTimeout(r, backoff + jitter));
  return fetchWithBackoff(url, opts, attempt + 1);
}

Read the Retry-After header and wait before retrying
Check X-RateLimit-Remaining and throttle before you hit zero
Cache responses so you make fewer calls
Batch or debounce requests instead of bursting

If you're the server (returning 429)

# Always send Retry-After so clients know when to come back
HTTP/1.1 429 Too Many Requests
Retry-After: 30

# Nginx rate limiting example
limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s;
location /api/ {
    limit_req zone=api burst=20 nodelay;
    limit_req_status 429;
}

429 vs Other Status Codes

429 Too Many Requests: You're being rate limited — slow down and retry later
503 Service Unavailable: Server is overloaded or down, not specific to your request rate
403 Forbidden: You're not allowed at all — retrying won't help

How to Monitor for 429 Errors

A 429 from your own API means real users are getting throttled; a 429 from an upstream provider means your integration is being limited. UptimeSignal checks your endpoints on a schedule and flags non-2xx responses including 429, so you can adjust your request rate or raise limits before it impacts users. Pair it with response-time tracking to spot throttling early. See also API monitoring.

Frequently Asked Questions

What does HTTP 429 mean?

429 Too Many Requests means the client has sent too many requests in a given period and has been rate limited. The server is intentionally refusing the request right now to protect itself. It usually includes a Retry-After header telling you how long to wait before trying again.

What causes a 429 error?

Exceeding an API's rate limit, retry loops without backoff, too many concurrent requests from one IP or key, shared API keys consuming the same budget, WAF/DDoS throttling, or brute-force login protection. Check X-RateLimit-* headers to see your limits.

How do I fix a 429 error?

Read the Retry-After header and wait, add exponential backoff with jitter, respect documented limits, cache responses to cut volume, and spread requests over time. If the traffic is legitimate, request a higher rate limit or upgrade your plan.

What is the Retry-After header?

Retry-After is an HTTP header sent with a 429 (or 503) telling the client how long to wait before retrying. It's either a number of seconds (Retry-After: 120) or an HTTP date. A well-behaved client pauses at least that long before trying again.

Is a 429 error my fault or the server's?

429 is a client error (4xx), so it generally indicates the client sent too many requests. But it can also reflect an under-provisioned server limit or a shared key being exhausted by another service. If you're well under documented limits and still see 429s, contact the provider — the limit may be misconfigured or shared.

429 Too Many Requests