To ensure reliable service for all users, Copyleaks enforces rate limits. Each rate limit has two components - request count and time period.

Exceeding these limits will result in an HTTP 429 Too Many Requests error response.

About Our Limits

Our API has a system-wide default rate limit of 10 requests per second per account. However, certain endpoints have unique, stricter limits to ensure fair usage and optimal performance. Any endpoint not explicitly listed below adheres to the default limit.

Endpoint-Specific Limits

Product	Endpoint	Rate Limit
Login	https://id.copyleaks.com/v3/account/login/api	12 requests per 15 minutes
Authenticity Scan Export	https://api.copyleaks.com/v3/downloads/{SCAN_ID}/export/{EXPORT_ID}	10 requests per minute
AI Image Detector	https://api.copyleaks.com/v1/ai-image-detector/{SCAN_ID}/check	900 requests per 15 minutes

Handling Rate Limit Blocks

When an application receives a 429 Too Many Requests error, simply ignoring it or immediately retrying the same request will only make the problem worse. Exceeding the maximum calls repeatedly will lead to temporary or permanent blocks.

Best Practice: Implement an Exponential Backoff Strategy

Your code must gracefully handle 429 errors. The recommended approach is exponential backoff. When you receive a 429 error, wait for a short interval before retrying. If the request fails again, double the waiting period (e.g., 1s, 2s, 4s, and so on) up to a reasonable maximum. This gives the rate limit window time to reset and allows your application to recover smoothly.

Best Practices

To ensure your integration is robust and efficient, it’s crucial to avoid common mistakes that can lead to being rate-limited. Understanding the correct workflow will save development time and prevent interruptions in service.

Re-authenticating for Every Request

A common issue is calling the login endpoint to get a new token before making every API call. This is inefficient and will quickly lead to being rate-limited due to the endpoint’s strict limit of 12 requests per 15 minutes.

Best Practice: Authenticate Once, Reuse the Token

You should design your application to call the login endpoint once to start a session. The generated JWT access token is valid for 48 hours. Securely store the token and include it in the Authorization: Bearer <Your-Token> header for all subsequent API calls. Only request a new token when the old one is about to expire.

Re-triggering Export for Scans

Another frequent mistake is calling the Authenticity Scan Export endpoint multiple times for the same scan.

Best Practice: Trigger Once and Wait for the Webhook

When a scan is completed, you will receive a completion webhook. We recommend using this as a queue to trigger the export call. The correct workflow is to call the export endpoint a single time for each completed scan. Your system should then wait for Copyleaks to send the export-completed webhook, which signals that the assets (e.g., PDF reports) have been successfully delivered.