Claimful docs
API rate limits
Per-endpoint rate-limit table and ADR 0017 source-of-truth bucket.
Per-endpoint rate-limit table (ADR 0017 §1 lines 27-33 verbatim)
| Endpoint | Per-merchant cap | Per-IP cap | Cloudflare WAF |
|---|---|---|---|
POST /api/v1/offers/quote | 5000/min | 500/min | 50/10s = 300/min/IP |
POST /api/v1/offers/confirm | 1000/min | 200/min | global 100/min/IP challenge |
POST /api/v1/offers/void | 200/min | 60/min | global only |
GET /api/v1/merchants/{id}/metrics | 1000/min | 100/min | global only |
GET /api/v1/merchants/{id}/claims | 1000/min | 100/min | global only |
POST /api/v1/portal/lookup | n/a | 30/min/IP + 10/hr/email | global only |
Source-of-truth: merchant_api_strict bucket (ADR 0017 §1 lines 45-52 verbatim)
RateLimiter::for('merchant_api_strict', function (Request $r) {
$merchantId = $r->user()?->merchant_id ?? $r->header('X-Merchant-Id');
return [
Limit::perMinute(1000)->by("merchant:{$merchantId}"),
Limit::perMinute(100)->by("merchant_ip:{$merchantId}:" . $r->ip()),
];
});Public commitment cross-reference
The aggregate 1,000 req/min per merchant floor is published verbatim on /pricing §D and /commitments §1per ADR 0039 §1 line 36 safe-form copy: “Up to 1,000 req/min aggregate per merchant; subject to per-IP and WAF anti-abuse limits documented in API reference. Distribute traffic across egress IPs to maximize throughput.”
Doc-vs-implementation gap (ADR 0039 §1 line 51 verbatim)
Until the per-IP secondary caps are raised to ≥1,000 rpm or the marketing copy is amended per above, a merchant integrating from a single egress IP cannot reach the advertised aggregate floor. This was the legal-review-blocker §1 item, closed in Phase 14 by publishing the verbatim safe-form copy on /pricing §D and the full per-endpoint table on this page.