429

HTTP 429 Too Many Requests

4xx Client Error

4xx Client Error RFC 6585, Section 4

What is HTTP 429 Too Many Requests?

The 429 (Too Many Requests) status code indicates that the user has sent too many requests in a given amount of time. The response should include a Retry-After header indicating how long the client should wait before making a new request. This is the standard response for API rate limiting.

Common Use Cases

  • API rate limiting
  • Login attempt throttling
  • DDoS protection
  • Web scraping prevention

Usage Example

When your API client exceeds 100 requests per minute, return 429 Too Many Requests with a Retry-After header set to the number of seconds to wait (e.g., 60). Include rate limit headers like X-RateLimit-Remaining to help clients stay within limits proactively.

// Laravel - rate limiting with 429
return response()->json([
    'error' => 'Too many requests',
    'retry_after_seconds' => 60,
], 429)
->header('Retry-After', 60)
->header('X-RateLimit-Limit', 100)
->header('X-RateLimit-Remaining', 0);

Common Mistakes

⚠️

Mistake: Not including a Retry-After header in 429 responses

Fix: Always include a Retry-After header so automated clients know how long to wait before retrying. Without it, clients may retry immediately, defeating the purpose of rate limiting.

⚠️

Mistake: Using 503 instead of 429 for rate limiting

Fix: Use 429 Too Many Requests specifically for rate limiting and quota enforcement. 503 Service Unavailable implies the server is overloaded, not that the client exceeded their limit.

⚠️

Mistake: Not telling clients about their rate limit status

Fix: Include rate limit headers (X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset) in all responses, not just 429. This helps clients proactively manage their request rate.

Last updated: 21 Jun 2026