AES Encryption Explained: How It Works and Why It Matters
Jun 23, 2026
4xx Client Error
The 429 (Too Many Requests) status code indicates that the user has sent too many requests in a given amount of time. The response should include a Retry-After header indicating how long the client should wait before making a new request. This is the standard response for API rate limiting.
When your API client exceeds 100 requests per minute, return 429 Too Many Requests with a Retry-After header set to the number of seconds to wait (e.g., 60). Include rate limit headers like X-RateLimit-Remaining to help clients stay within limits proactively.
// Laravel - rate limiting with 429
return response()->json([
'error' => 'Too many requests',
'retry_after_seconds' => 60,
], 429)
->header('Retry-After', 60)
->header('X-RateLimit-Limit', 100)
->header('X-RateLimit-Remaining', 0);
Mistake: Not including a Retry-After header in 429 responses
Fix: Always include a Retry-After header so automated clients know how long to wait before retrying. Without it, clients may retry immediately, defeating the purpose of rate limiting.
Mistake: Using 503 instead of 429 for rate limiting
Fix: Use 429 Too Many Requests specifically for rate limiting and quota enforcement. 503 Service Unavailable implies the server is overloaded, not that the client exceeded their limit.
Mistake: Not telling clients about their rate limit status
Fix: Include rate limit headers (X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset) in all responses, not just 429. This helps clients proactively manage their request rate.
Blog
Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
Jun 23, 2026
Jun 23, 2026