Rate Limits

Gravity SMS enforces rate limits at multiple levels to protect system stability and comply with carrier restrictions. All limits use sliding-window counters.

Rate limit tiers

Limiter	Scope	Limit	Window
API key (app role)	Per API key	`100 requests`	60 seconds
API key (admin role)	Per API key	`500 requests`	60 seconds
Per-phone SMS	Per "from" number	`40 messages`	60 seconds
Failed authentication	Per IP address	`10 attempts`	5 minutes
Connect token	Per tenant	`5 tokens`	1 hour

API key rate limit

Every authenticated API request counts toward the per-key limit. When the limit is exceeded, the API returns 429 Too Many Requests with a Retry-After header indicating how many seconds to wait.

429 Too Many Requests

json

{
  "error": "Too many requests"
}

Retry-After header

Retry-After: 12

The Retry-After value is the number of seconds until the current window resets. Wait at least this long before retrying.

Per-phone SMS rate limit

Each "from" phone number is limited to 40 outbound messages per minute. This limit is enforced at the queue worker level, not at the API level. If the limit is exceeded:

The send job is delayed by 5 seconds and retried automatically.
The message remains in queued status until the rate limit window resets.
No error is returned to the caller — the message is eventually delivered.

This limit exists to comply with carrier-level SMS throughput restrictions. Spreading messages across multiple "from" numbers increases effective throughput.

Failed authentication blocking

To protect against brute-force attacks, the gateway tracks failed authentication attempts per IP address. After 10 failed attempts within a 5-minute window, the IP is blocked for 15 minutes.

While blocked, all requests from the IP receive 429 Too many requests with a Retry-After header, regardless of whether the API key is valid.

Connect token rate limit

The POST /v1/rc/connect-token endpoint is limited to 5 requests per tenant per hour. This prevents abuse of the RingCentral OAuth flow. If exceeded, the API returns 429.

Handling rate limits

Recommended strategies for handling rate limits:

Respect Retry-After — Always read the Retry-After header and wait the specified number of seconds before retrying.
Implement exponential backoff — If you receive multiple consecutive 429 responses, increase the wait time between retries.
Batch where possible — Use the messages list endpoint to retrieve multiple messages in a single request instead of polling individual statuses.
Use WebSocket — For real-time status updates, use a WebSocket connection instead of polling the status endpoint.

Related docs

Authentication — API key roles and rate limit tiers
Sending SMS — Per-phone limits and retries
Error Handling — Retryable errors and backoff strategies