What is the difference between 429 and 503?

A 429 means you in particular are being rate limited and ought to slow down and retry; the server is otherwise healthy. A 503 means the server itself is overloaded or in maintenance and cannot serve anyone at the moment. You usually fix a 429 by backing off, a 503 by the website owner restoring capacity.

How long should I wait after a 429?

Wait exactly what the Retry-After header tells you, whether that is a number of seconds or a date to wait until. No such header? Give it at least one second, then use exponential backoff, doubling the delay (1s, 2s, 4s, 8s) until your requests go through.

What is the Retry-After header?

It is a response header telling the client how long to hold off before trying again. The value is either a count of seconds (for instance Retry-After: 60) or an absolute HTTP date. Obeying it is the single most reliable way to clear a 429 without making matters worse.

Why do I get 429 on a shared network or VPN?

Plenty of IP-based limits treat every request from one address as a single client. Behind NAT, a corporate proxy, a VPN exit node, or a mobile carrier, you share that IP with a crowd, so their requests stacked on yours can break the limit even when you barely did anything. Changing networks, or using an authenticated per-key path, usually sorts it out.

Why does an API return 429?

APIs publish quotas (requests per minute, say) to keep the service fair and stable. Once your client runs past the quota for your IP, user, or API key, the API hands back a 429 rather than processing the call. Check the docs for the exact limit, read the rate-limit headers, and queue or throttle your calls to stay beneath it.

Can an uptime monitor cause a 429?

Yes. A monitor that checks an endpoint too often, or several checks coming from the same IP range, can trip the site's rate limiting and pick up a 429. Stick to reasonable intervals and ask the website owner to allowlist the monitoring source so legitimate checks never get throttled.

Is a 429 bad for SEO?

Handing a brief 429 to a misbehaving crawler is fine, and it is exactly how you protect the origin. Serve 429 to Googlebot during a normal crawl, though, and pages can fall out of the index. Allowlist the real search crawlers and save rate limiting for traffic that is genuinely excessive.

What is the difference between a 429 and a 403?

A 429 is about volume, and it is temporary. You are allowed in; you have simply sent too many requests too fast, and it clears once you ease off. A 403 Forbidden is about permission: the server refuses outright, usually because you lack the right credentials or rights, and waiting changes nothing. See a 403 and you fix authentication or access, not your request rate.

There is no Retry-After header. How do I know when to retry?

Servers are encouraged to send Retry-After but not required to, so some leave it out. When it is gone, use exponential backoff: wait a second, then double the delay after each failure (1s, 2s, 4s, 8s), with a touch of random jitter so a fleet of clients does not all retry at once. If the response carries X-RateLimit-Reset, waiting until that exact reset time beats guessing.

Does a 429 mean I am blocked permanently?

No. By design a 429 is a soft, temporary limit pinned to a time window, never a ban. Let the window reset, or drop back under the quota, and your requests go through again. A genuine permanent block would come back as a 403 Forbidden. What stretches a quick 429 into a real headache is hammering away, since aggressive retries can lengthen the cooldown on some servers.

Why does Cloudflare return a 429 even when I am not making many requests?

Cloudflare and similar bot-protection layers do not rely on a raw request count alone. Traffic that looks automated, originates from a flagged IP range, or trips a rate-limiting rule can be throttled at low volume. When this catches real users, the website owner can loosen the rate-limiting or WAF rule, or allowlist the source. As a visitor, dropping a VPN or proxy that shares an IP with bot traffic often clears it.

Should I use 429 or 503 when I rate limit my own API?

Reach for 429. It says plainly that the cause is a rate limit and that backing off will fix it, so well-behaved clients comply on their own. A 503 suggests the entire service is unavailable, which can fool clients and crawlers into thinking you are down. Worth knowing: nginx's rate-limiter returns 503 by default, so add limit_req_status 429; to send the right code.

Could my own uptime monitor be the thing tripping the 429?

Yes, and it is a classic self-inflicted wound. A monitor that pounds an endpoint, or a pile of checks arriving from one IP range, can blow past an IP-based limit and collect the very 429 it then files as an outage. Two habits keep the signal trustworthy: reasonable check intervals, and asking the owner to allowlist the monitoring source. Pulsetic checks every 30 seconds instead of pelting a path many times a second, and because its checks come from a known set of locations you can allowlist them, so a 429 it reports is a real limit hitting real users, not the monitor counting against itself.

429 Too Many Requests

You loaded a page or hit an API and got slapped with 429 Too Many Requests. The server is not down, it just decided you (or your IP) are knocking too often and put up a temporary gate. This guide explains why it happens and how to clear it on either side of the connection.

Updated June 2026 · 5 min read

Written by

Andrian Valeanu Founder of Pulsetic

Andrian Valeanu founded Pulsetic and, before it, Designmodo. Across 15-plus years he has shipped web products, design tools, and monitoring software teams around the world rely on.
Reviewed by

Ionut Caval Technical reviewer

Ionut Caval reviews Pulsetic's technical guides for accuracy. He works hands-on with web servers, networking, and uptime monitoring day to day, and makes sure the causes and fixes here hold up in production.

The short version: Ease off. A 429 means you blew past a rate limit, so stop retrying right away. Look in the response for a Retry-After header and wait that long before your next attempt. If the API is yours, send a clear Retry-After and set limits sized to real traffic.

Key takeaways

A 429 tells you the server is fine and is throttling you on purpose. Retrying harder makes it worse; the cure is to back off.
Look at the Retry-After header before anything else. It states the exact wait in seconds or as an HTTP date, and obeying it is the surest way to get unblocked.
Plenty of APIs add X-RateLimit-* headers showing your quota, how much is left, and when the window resets. Use them to stay under the ceiling rather than guessing.
Watch the scope. A 429 on a single path is a per-endpoint or per-key limit; a 429 on everything usually points to an IP or account limit, often from a shared NAT, VPN, or proxy.
RFC 6585 forbids caching a 429, so every retry gets a fresh verdict. That is why a sensible backoff eventually gets through.

Error type: HTTP 4xx client error
Whose side: Either: too many requests, or a tight limit
Fix difficulty: Easy to moderate
Common cause: Rate limit exceeded in a time window

What does 429 Too Many Requests mean?

A 429 Too Many Requests is a client-error response from RFC 6585. It means you sent too many requests in a given span of time and are now being rate limited. The server is up and reachable. It is throttling you on purpose, to shield itself from overload or abuse. That limiting can run server-wide, per endpoint, per IP, per user, or per API key, which is why the same site can return 429 on one path while serving another normally.

A polite 429 carries a Retry-After header stating precisely how long to hold off, as a count of seconds or an HTTP date. Scope is the real question. A 429 aimed at one client (your IP or API key) clears as soon as you slow down, whereas a 429 served across the board often means the whole service is shedding load. The spec also bars caching of a 429, so each retry gets evaluated afresh.

The path a request takes from your browser to the website's servers. A 429 Too Many Requests is produced at the highlighted stages.

429: HTTP status code
Retry-After: Header telling you when to retry
RFC 6585: Spec that defines the 429 code
4xx: Client-error class it belongs to

How the 429 Too Many Requests error appears

The wording changes depending on your browser, device, or server. Here is how this error commonly shows up:

429

Too Many Requests

You have sent too many requests in a given amount of time.

What a 429 Too Many Requests looks like in the browser. The exact wording varies by browser, device, and server.

429 Too Many Requests
HTTP Error 429
Error 429
Rate limit exceeded
429 Too Many Requests (you have sent too many requests)
HTTP 429

429 vs 503 and 403

All three can block a request, but they mean very different things and point to different fixes.

Code	What it means	Who fixes it
429 Too Many Requests	You hit a rate limit; slow down and retry later	Mostly the client (back off); server can raise limits
503 Service Unavailable	The server is overloaded or down for maintenance	The website owner (capacity or maintenance)
403 Forbidden	You are not allowed to access this resource at all	The website owner (permissions) or the client (auth)

Rate-limit headers you may see with a 429

These headers tell you how long to wait and how much of your quota is left, so check for them before retrying.

Header	What it tells you	Example value
`Retry-After`	How long to wait before the next request, as seconds or an HTTP date. The only header defined in the HTTP spec (RFC 9110) for this.	`Retry-After: 60`
`X-RateLimit-Limit`	The maximum number of requests allowed in the current window. A de facto convention (GitHub, Stripe), not an RFC standard.	`X-RateLimit-Limit: 60`
`X-RateLimit-Remaining`	How many requests you have left in the current window. Hitting zero is what triggers the 429.	`X-RateLimit-Remaining: 0`
`X-RateLimit-Reset`	When the window resets, usually a Unix epoch timestamp, though some APIs send seconds until reset instead. Check the API docs.	`X-RateLimit-Reset: 1717000000`

What causes 429 Too Many Requests?

You blew past an API rate limit, say a documented requests-per-minute quota
A loop that refreshes, scrapes, or polls an endpoint far too fast
One public IP shared behind NAT, a corporate proxy, or a mobile carrier, so a crowd of users registers as a single client
A bot, plugin, or background job pounding the server on a tight schedule
DDoS or bot-protection rules (Cloudflare and the like) throttling traffic that looks suspicious
A burst of login or password-reset attempts hitting an abuse limit
A monitor or crawler checking far more often than the limit permits

How to find the cause fast

Read the response headers. Retry-After and any X-RateLimit-* values spell out the wait and the quota
Work out whether it is one endpoint or all of them: a single path means a per-resource limit; everything means an IP or account limit
See whether you are sitting behind a shared IP, VPN, or proxy that other clients use too
Pull your own request rate for the last minute and hour, in case a script or a stray tab is looping

curl -sI https://example.com/apiHTTP/1.1 429 Too Many RequestsRetry-After: 60# you hit the rate limit; wait the Retry-After seconds

What a 429 Too Many Requests looks like from the command line. The grey lines starting with # are explanatory comments.

How 429 Too Many Requests looks from the outside

From outside, a 429 reads nothing like a real outage. The server answered; it just turned you away for now. A monitor that calls every non-200 a failure will mark a 429 as down even though the site is healthy for ordinary visitors. The reverse is a trap too: a monitor that pounds an endpoint, or a wave of checks from one IP, can trip a rate limit itself and produce the 429 it later reports. Reasonable intervals and a dedicated, allowlisted monitoring path are what keep the signal honest.

To confirm the exact code a URL returns, or to re-test several at once after a fix, run them through the free bulk URL status checker.

How to fix 429 Too Many Requests

If you are a visitor

Wait. Honor the Retry-After value before you reload, and if there is none, give it a minute at least
Quit mashing refresh or resubmitting forms in a hurry; it only resets the clock
Switch off pushy browser extensions or auto-refreshers firing requests in the background
Drop a shared VPN or proxy IP, or change networks, so you stop getting lumped in with everyone else on it
Calling an API? Slow the request rate and add backoff between calls
Clear the website's cookies, since some limits track a session token
Still happening on normal browsing? Get in touch with the website so they can review their rules

If you run the website or API

Send an accurate Retry-After header (and ideally X-RateLimit-*) every time, so clients can comply
Size your rate limits to real usage instead of picking arbitrarily low numbers
Allowlist clients you trust: your own monitors, partners, and the good bots you recognize
Put caching and a CDN in front so repeat requests never touch the rate-limited origin
Split human traffic from automated, and favor per-API-key limits over per-IP to spare shared-NAT users
Add capacity or lift limits when legitimate traffic spikes (launches, campaigns)
Return 429, not 503, for rate limiting so the cause is unambiguous; in nginx, set limit_req_status 429

Still not fixed? Next steps

Find the published limit in the API docs, then queue or throttle your client to stay under that requests-per-minute or per-hour quota. Blind retries just keep tripping it.
Behind a shared IP (corporate NAT, VPN exit node, mobile carrier)? Move to an authenticated, per-API-key path or a different network so strangers' traffic stops being charged to you.
When the 429 shows up during ordinary browsing rather than an API call, reach out to the website owner. An over-tight WAF or bot rule (Cloudflare is a frequent culprit) may be throttling real visitors, and only they can loosen it.
Running the service yourself? Send an accurate Retry-After (and ideally X-RateLimit-*), and allowlist clients you trust, your own monitors and known search crawlers among them, so genuine traffic never gets throttled.

Code & configuration

Copy-paste starting points. Replace example.com and the paths with your own, and test changes on staging before production.

Read the Retry-After header and back off

# Show response headers so you can see the limit and the wait time
curl -sS -D - -o /dev/null https://api.example.com/v1/items

# Typical 429 response:
#   HTTP/1.1 429 Too Many Requests
#   Retry-After: 60
#   Content-Type: application/json
#
# Retry-After can be seconds (60) or an HTTP date.
# Wait the stated time, then send ONE request, not a burst.

Return 429 with nginx rate limiting

# In the http block: 30 requests/sec per client IP, 10MB state zone
limit_req_zone $binary_remote_addr zone=api:10m rate=30r/s;

server {
  location /api/ {
    limit_req zone=api burst=20 nodelay;
    limit_req_status 429;          # default is 503; 429 is correct here
    proxy_pass http://backend;
  }
}
# burst=20 absorbs short spikes; excess requests get 429.

Exponential backoff with jitter (pseudo-code)

delay = 1
for attempt in 1..6:
    res = send_request()
    if res.status != 429:
        return res
    wait = res.header("Retry-After") or delay
    sleep(wait + random(0, 1))     # jitter avoids a synchronized retry storm
    delay = delay * 2              # 1s, 2s, 4s, 8s, 16s ...
fail("still rate limited after retries")

How to prevent 429 Too Many Requests

Rate limiting exists to protect you, yet a misconfigured limit can shut out real users and crawlers with no warning. Pulsetic checks your website from multiple locations every 30 seconds, at intervals gentle enough not to trip your limits, and alerts you by email, SMS, voice call, Slack, Discord, or webhook when a page starts returning 429 instead of loading. It watches availability from the outside, not your server's internals.

Learn how Pulsetic's uptime monitoring detects this from the outside, across 15+ locations.

Related errors

Browse all error guides

Frequently asked questions

What is the difference between 429 and 503?

A 429 means you in particular are being rate limited and ought to slow down and retry; the server is otherwise healthy. A 503 means the server itself is overloaded or in maintenance and cannot serve anyone at the moment. You usually fix a 429 by backing off, a 503 by the website owner restoring capacity.
How long should I wait after a 429?

Wait exactly what the Retry-After header tells you, whether that is a number of seconds or a date to wait until. No such header? Give it at least one second, then use exponential backoff, doubling the delay (1s, 2s, 4s, 8s) until your requests go through.
What is the Retry-After header?

It is a response header telling the client how long to hold off before trying again. The value is either a count of seconds (for instance Retry-After: 60) or an absolute HTTP date. Obeying it is the single most reliable way to clear a 429 without making matters worse.
Why do I get 429 on a shared network or VPN?

Plenty of IP-based limits treat every request from one address as a single client. Behind NAT, a corporate proxy, a VPN exit node, or a mobile carrier, you share that IP with a crowd, so their requests stacked on yours can break the limit even when you barely did anything. Changing networks, or using an authenticated per-key path, usually sorts it out.
Why does an API return 429?

APIs publish quotas (requests per minute, say) to keep the service fair and stable. Once your client runs past the quota for your IP, user, or API key, the API hands back a 429 rather than processing the call. Check the docs for the exact limit, read the rate-limit headers, and queue or throttle your calls to stay beneath it.
Can an uptime monitor cause a 429?

Yes. A monitor that checks an endpoint too often, or several checks coming from the same IP range, can trip the site's rate limiting and pick up a 429. Stick to reasonable intervals and ask the website owner to allowlist the monitoring source so legitimate checks never get throttled.
Is a 429 bad for SEO?

Handing a brief 429 to a misbehaving crawler is fine, and it is exactly how you protect the origin. Serve 429 to Googlebot during a normal crawl, though, and pages can fall out of the index. Allowlist the real search crawlers and save rate limiting for traffic that is genuinely excessive.
What is the difference between a 429 and a 403?

A 429 is about volume, and it is temporary. You are allowed in; you have simply sent too many requests too fast, and it clears once you ease off. A 403 Forbidden is about permission: the server refuses outright, usually because you lack the right credentials or rights, and waiting changes nothing. See a 403 and you fix authentication or access, not your request rate.
There is no Retry-After header. How do I know when to retry?

Servers are encouraged to send Retry-After but not required to, so some leave it out. When it is gone, use exponential backoff: wait a second, then double the delay after each failure (1s, 2s, 4s, 8s), with a touch of random jitter so a fleet of clients does not all retry at once. If the response carries X-RateLimit-Reset, waiting until that exact reset time beats guessing.
Does a 429 mean I am blocked permanently?

No. By design a 429 is a soft, temporary limit pinned to a time window, never a ban. Let the window reset, or drop back under the quota, and your requests go through again. A genuine permanent block would come back as a 403 Forbidden. What stretches a quick 429 into a real headache is hammering away, since aggressive retries can lengthen the cooldown on some servers.
Why does Cloudflare return a 429 even when I am not making many requests?

Cloudflare and similar bot-protection layers do not rely on a raw request count alone. Traffic that looks automated, originates from a flagged IP range, or trips a rate-limiting rule can be throttled at low volume. When this catches real users, the website owner can loosen the rate-limiting or WAF rule, or allowlist the source. As a visitor, dropping a VPN or proxy that shares an IP with bot traffic often clears it.
Should I use 429 or 503 when I rate limit my own API?

Reach for 429. It says plainly that the cause is a rate limit and that backing off will fix it, so well-behaved clients comply on their own. A 503 suggests the entire service is unavailable, which can fool clients and crawlers into thinking you are down. Worth knowing: nginx's rate-limiter returns 503 by default, so add limit_req_status 429; to send the right code.
Could my own uptime monitor be the thing tripping the 429?

Yes, and it is a classic self-inflicted wound. A monitor that pounds an endpoint, or a pile of checks arriving from one IP range, can blow past an IP-based limit and collect the very 429 it then files as an outage. Two habits keep the signal trustworthy: reasonable check intervals, and asking the owner to allowlist the monitoring source. Pulsetic checks every 30 seconds instead of pelting a path many times a second, and because its checks come from a known set of locations you can allowlist them, so a 429 it reports is a real limit hitting real users, not the monitor counting against itself.

Catch the next outage before your visitors do.

2-minute setup · Cancel any time
Create Free Account

Your Dashboard

No credit card needed