API rate limits & AI usage budget
Request rate limits per API key, the 429 + Retry-After contract, and the 402 you'll see if AI-backed calls exceed the monthly AI budget.
Advanced The Protocol REST API applies two independent limits to protect the platform: a request rate limit on every API key, and a monthly AI usage budget on AI-backed endpoints. Both are enforced server-side — no setup required — but your integration should handle the status codes below gracefully.
Request rate limits
Each API key (pk_live_…) is limited independently of every other key on your
account or any other account:
| Window | Limit |
|---|---|
| Per minute | 1,000 requests |
| Per hour | 10,000 requests |
Go over either window and the API returns:
HTTP/1.1 429 Too Many Requests
Retry-After: 37
Retry-After is the number of seconds to wait before retrying. Back off for at least that long
— retrying immediately just consumes more of the same window.
Scope: these limits apply only to requests authenticated with a
pk_live_API key. Your own dashboard/mobile sessions (JWT-based) and an AI assistant connected via the AI Agent MCP connector are on separate, unrelated limits and are not affected by this table.
AI usage budget (402)
Some endpoints call out to an AI model on your behalf (e.g. AI-assisted content generation, coach-chat, meal/photo analysis). Every account has a monthly AI usage budget, shared across all AI-backed features regardless of plan:
| Monthly AI budget | $100 |
| Resets | Start of each monthly billing period |
If a call to an AI-backed endpoint would exceed your remaining budget for the current period, the API returns:
HTTP/1.1 402 Payment Required
{
"success": false,
"message": "AI usage limit reached for this billing period",
"data": null
}
Non-AI endpoints are unaffected — a 402 only ever comes from an endpoint that calls an AI model. If you’re consistently hitting this limit, reach out — usage-based overage is available on request.
Handling both in your integration
- Treat 429 as retryable: read
Retry-After, wait, then retry the same request. - Treat 402 as not immediately retryable: it clears at the next billing period, not on a timer — retrying sooner won’t help.
- Both are ordinary JSON error responses (
{ success: false, message, data: null }), same shape as any other API error — no special parsing needed beyond checking the status code.
Related
- Creating & using API keys — create a key, authenticate a request, revoke a key.
- API reference — full endpoint list, including which endpoints are AI-backed.