API Rate Limits
- Most actions on urlscan.io are subject to quotas and rate limits, regardless of whether they are performed in the UI or via the API.
- There are separate limits per minute, per hour, and per day for each action.
- Check your personal quotas for details.
- Only successful requests count against your quota, i.e., requests which return an HTTP 200 status code.
- We use a fixed window approach to rate limit requests, with resets at the full minute, hour, and day (at midnight UTC).
- If you exceed a rate limit for an action, the API will respond with a HTTP 429 error code for additional requests against that action.
- You can query your current limits and quotas via the API Quotas endpoint.
The API returns X-Rate-Limit HTTP headers on each request to a rate limited resource. The values only apply to the action of that API request, i.e., if you exceeded your quota for private scans you might still have available quota to submit unlisted scans or perform a search request. The limit returned is always the next one to be exceeded in absolute numbers, so if your per-hour quota still has 1000 requests remaining but your per-day quota only has 500 requests left, you will receive the per-day quota. Make sure to respect the rate limit headers as returned by every request.
X-Rate-Limit-Scope: ip-address
X-Rate-Limit-Action: search
X-Rate-Limit-Window: minute
X-Rate-Limit-Limit: 30
X-Rate-Limit-Remaining: 24
X-Rate-Limit-Reset: 2025-05-18T20:19:00.000Z
X-Rate-Limit-Reset-After: 17These rate limit headers are explained below:
- X-Rate-Limit-Scope
- Either
user(with cookie or API-Key header) orip-addressfor unauthenticated requests.
- Either
- X-Rate-Limit-Action
- Which API actions the rate limit refers to, e.g.,
searchorpublic.
- Which API actions the rate limit refers to, e.g.,
- X-Rate-Limit-Window
- Rate window with the least fewest remaining calls, either
minute,hour, orday.
- Rate window with the least fewest remaining calls, either
- X-Rate-Limit-Limit
- Your rate limit for this action and window.
- X-Rate-Limit-Remaining
- Remaining calls for this action and window (not counting the current request).
- X-Rate-Limit-Reset
- ISO-8601 timestamp of when the rate limit resets.
- X-Rate-Limit-Reset-After
- Seconds remaining until the rate limit resets.