Rate Limits

The SmugMug API has rate limits. We try to keep the limits generous, because we don't want to interfere with awesome applications. But, you should know how they work.

Authenticated requests are limited per-user-per-application. Unauthenticated requests are limited per-application.

Requests are limited on a windowed basis: when you first make a request, a window of time begins. During that window, you can only make a certain number of requests. A new window starts at the first request made after the end of the previous window.

Every API response includes headers about the rate limit, so your application can be proactive:

X-RateLimit-Remaining The number of additional requests you can make within the current window
X-RateLimit-Reset The end of the current window (as the number of seconds since 1970-01-01 00:00:00 UTC)

These headers are based on an emerging consensus among major websites.

If you do hit the limit, your request will fail with the status code 429 and a header telling you when to try again:

Retry-After The number of seconds until the end of the current window