API Limits & Policies

To ensure platform stability and prevent fraudulent activities like SMS pumping, we enforce the following rate limits on all accounts.

Global Throughput

20 Requests Per Second

Each account is allowed up to 1,200 requests per minute globally. This is designed to support high-growth applications and bulk verification workflows.

Security Protection

3 OTPs per 5 Minutes per Number

To prevent malicious actors from spamming a single mobile number (scams or SMS pumping), we limit the number of OTPs that can be sent to a specific number to 3 attempts every 5 minutes.

Best Practices

Handle 429 Too Many Requests errors gracefully in your client-side code.
Implement your own client-side delays for the "Resend OTP" button (e.g., 30s or 60s).
Ensure you use the idempotencyKey to avoid double-charging on network retry.
Contact support for custom limit increases if your use case justifies it.