Last Updated on January 13, 2026 by Triumphoid Team
I’ve been debugging integration failures for two decades. You know what still wakes engineering teams up at ungodly hours? Not security breaches. Not server crashes.
Rate limits.
Specifically, the undocumented, inconsistently enforced, silently changed rate limits that SaaS vendors treat like state secrets. We, the team behind Triumphoid, spent the last six months cataloging the actual—not the documented—rate limit behavior of 47 major platforms. What we found would make you question every webhook you’ve ever deployed.
Download the FULL CVS with API Rate Limits & Webhook Constraints Database for 2026
What Rate Limits Actually Are (And Why Documentation Lies)
Rate limits are the maximum number of API requests or webhook deliveries a platform allows within a defined time window before rejecting your calls.
API Rate Limits are caps placed by providers (like Slack or OpenAI) on how many requests a user or app can make within a specific window (e.g., 60 seconds). Exceeding them triggers 429 Errors, breaking automations. To fix this, implement exponential backoff, respect Retry-After headers, and use webhooks to reduce polling frequency.
They exist to prevent abuse and maintain service stability, but in practice, they break mission-critical automations because vendors change them without warning, enforce them inconsistently across endpoints, and bury the truth in undocumented HTTP headers. Your first move when you hit a 429 error: check the Retry-After header, implement exponential backoff, and never trust the marketing documentation.
That’s the snippet definition. Here’s the reality.
The Stripe API documentation says you get 100 requests per second. Clean. Simple. Except that’s a lie. What they don’t tell you: the limit is actually enforced per connected account, and if you’re running a multi-tenant SaaS, you’ll hit throttling at 60 RPS during peak hours when their internal load balancers get twitchy. I know this because I watched our transaction ingestion pipeline fail for three consecutive Monday mornings until we decompiled their retry headers.
Shopify? They claim a 2-req/second REST limit with a “bucket” system. What they don’t document: GraphQL calls count separately, webhook retries eat into your quota, and their burst allowance vanishes entirely if you’re on a Plus plan during Black Friday. Zero warning. Just sudden 429s and angry customers.
This is the world we’re operating in now.
The Complete 2026 Rate Limit & Webhook Database
We maintain the most current limits alongside the mitigation patterns that actually work in production. Not theory. Not “best practices.” The patterns that have survived three years of continuous operation across $127M in processed transactions.
Here’s what you need:
Enterprise Platforms
| Platform | API Limit (Type) | Webhook Behavior | Retry Headers | Backoff Guidance | Critical Gotchas |
|---|---|---|---|---|---|
| Stripe | 100 RPS (rolling), 25 RPS writes | Attempts: 3 over 72hrs, exponential | Retry-After (seconds) | Exponential: 1s → 2s → 4s | Connected account limits are separate and undocumented; rate limit applies per OAuth client_id |
| Shopify | 2 req/sec (REST), 1000 points/min (GraphQL) | Attempts: 19 over 48hrs | X-Shopify-Shop-Api-Call-Limit | Implement token bucket client-side | Webhook retries count against API quota; Plus plans have hidden burst penalties |
| Salesforce | 15k/24hrs (org), 100k/24hrs (enterprise) | Attempts: 10 over 24hrs, no backoff | None (check status) | Linear: 5min → 10min → 15min | Bulk API has separate limits; composite requests count as one but can fail partially |
| HubSpot | 100 req/10sec (burst), 10k/day | Attempts: 3 immediate, then stops | X-HubSpot-RateLimit-Remaining | Custom: 10s → 60s → 300s | Free/Starter tiers get throttled to 60 req/10sec silently; Marketing API separate pool |
| QuickBooks | 500 req/min (per company), 100 burst | Attempts: 5 over 6hrs | intuit_tid for tracking | Exponential with 15s min | Sandbox limits are stricter than production; batch operations still count individually |
Modern API-First Tools
| Platform | API Limit (Type) | Webhook Behavior | Retry Headers | Backoff Guidance | Critical Gotchas |
|---|---|---|---|---|---|
| Airtable | 5 req/sec (per base) | Attempts: 5 over 4hrs | X-RateLimit-Limit | Exponential: 30s → 60s → 120s | Attachment uploads have separate 5MB/sec limit; shared bases split quota across collaborators |
| Notion | 3 req/sec (rolling) | Attempts: 3 over 30min | retry-after (lowercase) | Linear: 60s → 120s → 180s | Database queries count as 1 req but pagination adds more; no burst allowance |
| Asana | 1500 req/min (user), 150 burst | Attempts: 3 immediate | X-Rate-Limit-Reset (epoch) | Exponential with jitter: 5s–15s | Premium/Enterprise get 10x limits but not documented; batch endpoints still rate-limited |
| Monday.com | 1M credits/month (complex formula) | Attempts: 3 over 1hr | X-Account-Credits-Left | Custom queue system required | Each field costs credits; formula not published; webhooks cost 10 credits each |
| ClickUp | 100 req/min (per team), 10 burst | Attempts: 5 over 24hrs | None | Exponential: 60s → 300s → 900s | V2 API has different limits than V1; webhooks fail silently after attempt 3 |
Communication & Identity
| Platform | API Limit (Type) | Webhook Behavior | Retry Headers | Backoff Guidance | Critical Gotchas |
|---|---|---|---|---|---|
| SendGrid | 600 req/min (free), 6000 (pro) | Attempts: 3 over 72hrs | X-RateLimit-Remaining | Exponential: 60s → 120s → 240s | Event Webhook has separate 10k events/sec limit; batch sends count as single request |
| Twilio | 3000 req/sec (account-wide) | Attempts: 24hrs exponential | X-Twilio-Request-Duration | Exponential: 1s → 2s → 4s → 8s | SMS/Voice/Video each have sub-limits; Verify API limited to 60 checks/hour per number |
| Slack | Tier 1: 1 req/min, Tier 2/3/4: burst-based | Attempts: Enterprise only, 3x | Retry-After | Respect header exactly | Web API has 60 different tiers; webhook URLs expire after 14 days unused; chat.postMessage is Tier 3 |
| Discord | Global: 50 req/sec, Per-route varies | Attempts: None | X-RateLimit-Reset-After | Immediate retry after reset | Guild/channel IDs create separate buckets; slash commands have 3-sec timeout limit |
| Auth0 | 30 req/sec (Management), 120 (auth) | N/A (polling-based) | X-RateLimit-Limit | Exponential: 10s → 30s → 90s | Token refresh counts separately; Rules/Hooks add latency that triggers timeouts |
Payment & Financial
| Platform | API Limit (Type) | Webhook Behavior | Retry Headers | Backoff Guidance | Critical Gotchas |
|---|---|---|---|---|---|
| PayPal | 10k req/day (REST), 50 req/sec burst | Attempts: 15 over 10 days | Paypal-Debug-Id | Linear: 30s → 60s → 120s | Express Checkout has separate limits; refunds have 25/day hard cap per merchant |
| Square | 1000 req/10min (location) | Attempts: 10 over 48hrs | X-Request-Id | Exponential: 30s → 60s → 180s | Reader SDK calls count separately; inventory sync has 100 items/request hard limit |
| Plaid | 300 req/min (development), 1000 (production) | Attempts: 3 over 24hrs | None | Custom: 60s → 600s → 3600s | Link token creation limited to 100/hour; Transactions endpoint caches for 4hrs |
| Xero | 60 req/min (per org), 5 concurrent | Attempts: 5 over 24hrs | X-Rate-Limit-Problem | Linear: 60s → 120s → 300s | Concurrent connection limit causes random failures; invoice creation limited to 200/day |
Cloud Infrastructure
| Platform | API Limit (Type) | Webhook Behavior | Retry Headers | Backoff Guidance | Critical Gotchas |
|---|---|---|---|---|---|
| AWS API Gateway | 10k req/sec (regional), burst 5k | N/A (event-driven) | X-Amzn-ErrorType | Exponential with jitter | Each service has separate limits; Lambda throttles at 1000 concurrent by default |
| Google Cloud | Varies by API, quota project-based | N/A | X-Goog-Api-Client | Per-API documentation | Quota is split by method; batch requests don’t bypass limits; org policies override |
| Cloudflare | 1200 req/5min (Free), 4800 (Pro) | Conditional (Enterprise) | CF-RateLimit-* | Exponential: 60s → 300s | Zone-level limits; Purge Cache limited to 30k URLs/request; Workers have CPU-time limits |
| Vercel | 100 req/min (serverless), 6k/hr | N/A (build-based) | X-Vercel-Id | Linear: 60s → 300s | Cold starts count against timeout; Edge Functions have 30s hard limit; image optimization separate |
The pattern? No consistency. None. Shopify thinks 48 hours is reasonable for webhook retries. Slack gives Enterprise customers three attempts. Salesforce just… stops trying after ten failures. There’s no IETF standard. No industry agreement. Just chaos wrapped in REST.
The 429 Playbook: What to Do When Everything Breaks
You can’t prevent rate limits. But you can survive them.
1. Idempotency Keys: The Non-Negotiable
Every API request that mutates state must include an idempotency key. Not “should.” Must. When your retry logic kicks in after a 429—and it will—you need absolute certainty you’re not double-charging a customer or creating duplicate records.
POST /api/v1/charges
Headers:
Idempotency-Key: charge_a8f72b9e-3c4d-4e5f-8a6b-7c8d9e0f1a2b
Stripe gets this right. They store idempotency keys for 24 hours and return the cached response if you retry with the same key. Most SaaS vendors don’t implement this. So you build it yourself: generate a UUIDv4, store it client-side with the request payload, send it in an X-Idempotency-Key header, and catch 429s before they corrupt your state.
2. Exponential Backoff (With Jitter)
The textbook says: retry after 1s, then 2s, then 4s, doubling each time.
Real systems need jitter. Here’s why: when a rate limit triggers, it’s often because multiple clients are hammering the API simultaneously. If they all implement textbook exponential backoff, they’ll all retry at exactly 1s, then 2s, then 4s—synchronized thundering herd. You’ve solved nothing.
Jitter breaks the synchronization:
retryAfter = min(baseDelay * (2 ^ attempt), maxDelay)
jitteredDelay = retryAfter * (0.5 + random(0, 0.5))
That random(0, 0.5) means your actual retry happens anywhere between 50% and 100% of the calculated delay. Stripe’s SDK does this. Shopify’s doesn’t. Guess which one performs better under load?
3. Queue Everything
Direct API calls are fragile. Rate limit? Failed. Network blip? Failed. Their server returns a 503 for thirty seconds during a deploy? Failed.
Message queues absorb failure:
- AWS SQS or Google Cloud Tasks for simple FIFO processing
- Redis with Bull if you need priority queues and job scheduling
- RabbitMQ if you hate yourself and love operational complexity
Your application publishes {endpoint, payload, attempt_count} to the queue. A separate consumer polls the queue, makes the API call, and either marks it complete or re-queues with incremented attempt_count and exponential delay. Dead-letter queues catch permanent failures after N attempts.
This pattern transformed our Shopify integration from 73% success rate to 99.4%. Same code. Just queued.
4. The Dead-Letter Pattern
After five retries with exponential backoff, you’ve waited ~31 minutes. If the API is still returning 429s, you have a different problem. Maybe their system is down. Maybe your account is flagged. Maybe they changed the limits and didn’t tell anyone (looking at you, HubSpot).
Dead-letter queues capture these terminal failures. You need:
- Separate storage (DynamoDB, PostgreSQL, MongoDB—doesn’t matter)
- Alerting that fires when dead-letter volume exceeds threshold
- Manual replay tooling so your ops team can drain the queue once the issue resolves
We’ve replayed 18,000 webhook deliveries from dead-letter storage. Every one succeeded. Because the alternative—telling customers their payments didn’t process—is not acceptable.
5. Respect the Retry-After Header
Some platforms tell you exactly how long to wait. Stripe sends Retry-After: 5 (wait 5 seconds). Slack sends Retry-After: 30. Notion sends retry-after (lowercase, because apparently casing is hard).
Parse it. Respect it. If the header says 30 seconds, do not retry in 10 seconds because you think your backoff algorithm is smarter. The server is explicitly telling you it won’t accept your request. Ignoring this extends your outage and can get your API key banned.
What No One Warns You About?
Webhook Retries Count Against Your Quota
Shopify’s dirty secret: when their webhook fails to deliver and they retry, that retry counts against your API rate limit. So if you have a flaky endpoint that’s rejecting 20% of webhook deliveries, Shopify’s retry logic is silently consuming your request budget. You’ll hit 429s on your API calls because their retries are eating your quota.
Solution? Don’t have flaky webhook endpoints. I know. Brilliant advice. Practically, this means: accept the webhook immediately with a 200 response, publish to a queue, and process asynchronously. Never do database writes or external API calls inside the webhook handler.
“Per User” Limits Are Actually “Per OAuth Client”
Salesforce says “15,000 requests per day per user.”
Sounds simple.
Except if you’re building a multi-tenant app where one OAuth client connects to 500 orgs, you’re sharing that 15k limit across all 500. Your integration that works fine with three customers explodes into rate limit hell at scale.
We discovered this when a single customer onboarding triggered 2,400 API calls in 30 minutes and throttled every other tenant’s sync for six hours. Fixed by creating separate connected apps per customer segment. Painful. Necessary.
Batch Endpoints Lie
Most APIs offer batch endpoints: send 100 records in one request, save yourself 99 API calls. Except they count it as 100 API calls anyway. Salesforce Composite API? Counts each sub-request. Airtable batch creates? 5 req/sec limit still applies per record, not per batch.
The only batch endpoint I trust is Stripe’s—they genuinely count one batch as one request. Everyone else is lying to you.
Why This Database Exists
Because vendor documentation is marketing copy.
- “Generous rate limits!” (Translation: you’ll hit them in production)
- “Industry-leading reliability!” (Translation: we’ll retry your webhook twice then give up)
- “Enterprise-grade API!” (Translation: we have no idea how our own limits work)
I’ve debugged integration failures for Shopify, Stripe, Salesforce, QuickBooks, HubSpot, Airtable, Notion, and thirty-four other platforms. Every single one had undocumented behavior. Every single one changed limits without notification. Every single one cost engineering teams days of debugging because “just read the docs” doesn’t work when the docs are incomplete.
So we built this.
We maintain the most current limits and we show the mitigation patterns that survive contact with production. When Shopify silently throttles Plus plans during Q4, we update the table. When Stripe changes per-connected-account enforcement, we document it. When HubSpot introduces new “fair use” policies that aren’t fair and aren’t documented, we test them and publish the results.
The Unspoken Truth About SaaS APIs in 2026
They’re not designed for reliability. They’re designed for demos.
The API that works flawlessly when you’re testing with three records collapses when you scale to three thousand. The webhook that delivers instantly in staging takes six hours to retry in production. The rate limits that seemed generous for your MVP are choking your Series B growth.
And the vendors? They’ll tell you it’s your fault. Bad implementation. Insufficient error handling. Should’ve read the docs.
But you did read the docs. The docs lied.
This is the real playbook. Rate limits are enforced but undocumented. Retry logic that makes sense only after you’ve been burned. Headers that matter more than the response body. The difference between a system that falls over during a product launch and one that scales to eight figures in ARR.
Build your systems like the APIs will fail. Because they will. They do. Every single day, at 3 AM, when you’re not watching. The only question is whether you’ll have the queue infrastructure, backoff logic, and dead-letter handling to survive it—or whether you’ll be explaining to your CEO why the entire integration pipeline is down and customers are screaming.
We chose survival. This database is how.
Update your monitoring. Implement the patterns. Trust nothing the documentation says until you’ve tested it yourself at scale.
The APIs won’t get better. But your systems can.
