Understanding Rate Limits
To ensure reliable service for all users, Copyleaks enforces rate limits. Each rate limit has two components - request count and time period.
Exceeding these limits will result in an HTTP 429 Too Many Requests error response.
About Our Limits
Section titled “About Our Limits”Our API has a system-wide default rate limit of 10 requests per second per account. However, certain endpoints have unique, stricter limits to ensure fair usage and optimal performance. Any endpoint not explicitly listed below adheres to the default limit.
Endpoint-Specific Limits
Section titled “Endpoint-Specific Limits”| Product | Endpoint | Rate Limit |
|---|---|---|
| Login | https://id.copyleaks.com/v3/account/login/api | 12 requests per 15 minutes |
| Authenticity Scan Export | https://api.copyleaks.com/v3/downloads/{SCAN_ID}/export/{EXPORT_ID} | 10 requests per minute |
| AI Image Detector | https://api.copyleaks.com/v1/ai-image-detector/{SCAN_ID}/check | 900 requests per 15 minutes |
Handling Rate Limit Blocks
Section titled “Handling Rate Limit Blocks”When an application receives a 429 Too Many Requests error, simply ignoring it or immediately retrying the same request will only make the problem worse. Exceeding the maximum calls repeatedly will lead to temporary or permanent blocks.
Implement Exponential Backoff
Section titled “Implement Exponential Backoff”Your code must gracefully handle 429 errors. The recommended approach is exponential backoff. When you receive a 429 error, wait for a short interval before retrying. If the request fails again, double the waiting period (e.g., 1s, 2s, 4s, and so on) up to a reasonable maximum. This gives the rate limit window time to reset and allows your application to recover smoothly.
Best Practices
Section titled “Best Practices”To ensure your integration is robust and efficient, it’s crucial to avoid common mistakes that can lead to being rate-limited. Understanding the correct workflow will save development time and prevent interruptions in service.
Re-authenticating for Every Request
Section titled “Re-authenticating for Every Request”A common issue is calling the login endpoint to get a new token before making every API call. This is inefficient and will quickly lead to being rate-limited due to the endpoint’s strict limit of 12 requests per 15 minutes.
Authenticate Once, Reuse the Token
Section titled “Authenticate Once, Reuse the Token”You should design your application to call the login endpoint once to start a session. The generated JWT access token is valid for 48 hours. Securely store the token and include it in the Authorization: Bearer <Your-Token> header for all subsequent API calls. Only request a new token when the old one is about to expire.
Re-triggering Export for Scans
Section titled “Re-triggering Export for Scans”Another frequent mistake is calling the Authenticity Scan Export endpoint multiple times for the same scan.
Trigger Once, Wait for the Webhook
Section titled “Trigger Once, Wait for the Webhook”When a scan is completed, you will receive a completion webhook. We recommend using this as a queue to trigger the export call. The correct workflow is to call the export endpoint a single time for each completed scan. Your system should then wait for Copyleaks to send the export-completed webhook, which signals that the assets have been successfully delivered.