Rate limits

Multiple layers of rate limiting protect the S2S create-payment flow.

Invalid authentication

Failed or missing credentials consume budget from an invalid-auth limiter (keyed by client IP):

Setting

Environment variable

Default (if unset)

Max events per window

KOLLECT_S2S_INVALID_AUTH_MAX

30

Window length (seconds)

KOLLECT_S2S_INVALID_AUTH_WINDOW_SEC

900 (15 minutes)

Exceeding the limit returns 429 with code RATE_LIMIT_EXCEEDED.

Per-merchant (API key)

After successful authentication, requests consume budget from a per-API-key limiter:

Setting

Environment variable

Default

Max requests per window

Access token limit field (minimum 1)

1000 if missing

Window length (seconds)

KOLLECT_S2S_MERCHANT_WINDOW_SEC

60

Exceeding the limit returns 429 with code RATE_LIMIT_EXCEEDED and may include details (limit, window).

Redis dependency

In production, if Redis is unavailable and memory fallback is not explicitly allowed, rate limiting may fail with 503. Set KOLLECT_S2S_ALLOW_MEMORY_FALLBACK=true only when your operations team approves dev/staging behavior.

PreviousError handling NextGuides

Last updated 12 hours ago

Was this helpful?

Good evening

hashtagInvalid authentication

hashtagPer-merchant (API key)

hashtagRedis dependency

Invalid authentication

Per-merchant (API key)

Redis dependency