Skip to main content
Vouchmark applies express-rate-limit per surface. Each limiter keys on the client IP by default and emits the standard RateLimit-* headers so you can plan retries. Limits below are quoted as requests / window.
SurfaceLimitWindow
Auth (/login, /signup, /google-*, /forgot-password, /reset-password, /verify-email, login OTP, …)5015 min
Public forms (/subscribe, /book-demo)2015 min
Verification uploads (/verifyTin, /verifyBill, /verifyJtbTin, /verifyCac*)101 hour
Physical address verification (POST /physicalAddress)524 hours
Monitoring reads (GET /monitoring/*)1201 min
Monitoring writes (watchlist add/remove, mark alert read)301 min
Wallet reads (GET /wallet, /wallet/transactions, /wallet/pricing-rates)601 min
Wallet writes (/wallet/topup, /wallet/auto-top-up, /wallet/threshold)101 min
API key rotation (POST /developers/api-keys/rotate)201 hour
Webhook changes (POST/DELETE /developers/webhooks)1001 hour
Endpoints without a dedicated limiter are not separately throttled at the application layer.

When you hit a limit

The response is 429 Too Many Requests. Because limiters use standardHeaders, the standard headers are present:
RateLimit-Limit: 120
RateLimit-Remaining: 0
RateLimit-Reset: 23
Retry-After: 23
The body is the limiter’s configured message, for example:
{
  "success": false,
  "message": "Too many attempts from this IP, please try again after 15 minutes"
}
Respect Retry-After (seconds). On repeated 429s, back off exponentially with jitter — don’t retry in a tight loop.

Increasing limits

These ceilings cover normal product use. If you’re building a high-throughput integration, contact support@vouchmark.com with your use case.