When should I use 429 Too Many Requests?

API rate limit exceeded Login attempt brute force protection DDoS protection Per-user or per-IP request throttling

4xx Client ErrorCommonly usedRFC 6585

429Too Many Requests

Client has sent too many requests — rate limited.

What it means

The user has sent too many requests in a given amount of time (rate limiting). The server may include a Retry-After header indicating when the client can retry.

When to use it

✓API rate limit exceeded
✓Login attempt brute force protection
✓DDoS protection
✓Per-user or per-IP request throttling

Code Examples

Express with express-rate-limit

javascript

import rateLimit from 'express-rate-limit';

const limiter = rateLimit({
  windowMs: 15 * 60 * 1000, // 15 minutes
  max: 100,                  // max 100 requests per window
  standardHeaders: true,     // Return rate limit info in headers
  handler: (req, res) => {
    res.status(429).json({
      error: 'Too Many Requests',
      message: 'Rate limit exceeded. Try again in 15 minutes.',
      retryAfter: Math.ceil(req.rateLimit.resetTime / 1000),
    });
  },
});

app.use('/api/', limiter);

Don't confuse with

503

Service Unavailable

Server is temporarily unavailable — overloaded or down for maintenance.

Quick Facts

Code429

CategoryClient Error

SpecRFC 6585

CommonYes

Relevant Headers

Retry-After

Number of seconds to wait before making another request

X-RateLimit-Limit

Maximum requests allowed in the window

X-RateLimit-Remaining

Requests remaining in the current window

X-RateLimit-Reset

Unix timestamp when the rate limit resets

Related Codes

503Service Unavailable

← Back to all status codes