Eric Perraudeau

QualysGuard API limits exposed in the header

Discussion created by Eric Perraudeau on May 10, 2011



There is a new cool feature available for the API v1 and v2 frameworks: each and every response returned back by the API exposes your API limits in the header.

For instance you can try: curl -D header.txt -u user:pass ''


And the file header.txt will return something like:


HTTP/1.1 200 OK

Date: Tue, 10 May 2011 21:17:37 GMT

Server: qweb/4.0h.QEL4

X-RateLimit-Limit: 300

X-RateLimit-Window-Sec: 86400

X-Concurrency-Limit-Limit: 2

X-Concurrency-Limit-Running: 1

X-RateLimit-ToWait-Sec: 0

X-RateLimit-Remaining: 299

Transfer-Encoding: chunked

Content-Type: application/xml


Some explanations:

X-RateLimit-Limit: 300 means that your subscription is configured to allow 300 calls per API calls/functions (in this example, about.php can be called 300 times, independently of the other API calls that are performed with the same account) during the sliding window provided below (X-RateLimit-Window-Sec)


X-RateLimit-Window-Sec: 86400  is the sliding window (in seconds) for the parameter above. 86400 seconds is 24 hours.


X-ConcurrencyLimit-Limit: 2 means you can launch the same call 2 times at the same time


X-ConcurrencyLimit-Running: 1 means only one call is currently running


X-RateLimit-ToWait-Sec: 0 means you've not been blocked, so you don't have to wait before launching a new call

X-RateLimit-Remaining: 4 means you still have 299 call available for this API call for the time remaining in the sliding window

If for some reason you are blocked, you get a 409 HTTP error and you can figure out what is the root cause of the problem in the header or the response (either concurrency limit reached or too much calls so you need to wait X-RateLimit-ToWait-Sec seconds).


For more information, please refer to the API user guides available here: