Intermediate
You are building a script that pulls data from an external API — maybe it fetches weather data, processes payment transactions, or syncs records from a third-party service. It works perfectly in testing, but when you deploy it to production and it starts making hundreds of requests, everything falls apart. The API starts returning 429 Too Many Requests errors, your script crashes, and you lose data. This is the rate limit problem, and every developer who works with APIs will hit it eventually.
The good news is that handling rate limits is a solved problem. Python’s requests library combined with a few simple patterns — exponential backoff, jitter, and retry logic — can make your API calls resilient and well-behaved. For more complex scenarios, the tenacity library (pip install tenacity) provides a powerful decorator-based retry system. You will also want the requests library if you do not have it already: pip install requests.
In this article we will cover everything you need to handle API rate limits like a professional. We will start with a quick example that adds retry logic to a simple API call, then explain what rate limits are and why APIs enforce them. From there we will build retry logic from scratch using exponential backoff, learn the tenacity library for production-grade retries, handle the Retry-After header that many APIs send, implement request throttling to stay under limits proactively, and finish with a real-life project that builds a reusable API client with built-in rate limit handling. By the end, your API calls will never crash from a 429 again.
Handling API Rate Limits: Quick Example
Here is the simplest way to add retry logic to an API call. This example retries failed requests with increasing delays between attempts, which is all you need for basic rate limit handling.
# quick_example.py
import requests
import time
def fetch_with_retry(url, max_retries=3):
"""Fetch a URL with automatic retry on failure."""
for attempt in range(max_retries):
response = requests.get(url)
if response.status_code == 200:
return response.json()
elif response.status_code == 429:
wait = 2 ** attempt # Exponential backoff: 1s, 2s, 4s
print(f"Rate limited! Waiting {wait}s before retry {attempt + 1}...")
time.sleep(wait)
else:
response.raise_for_status()
raise Exception(f"Failed after {max_retries} retries")
# Test with a real API
data = fetch_with_retry("https://jsonplaceholder.typicode.com/posts/1")
print(f"Title: {data['title']}")
print(f"User ID: {data['userId']}")Output:
Title: sunt aut facere repellat provident occaecati excepturi optio reprehenderit
User ID: 1This simple function checks the response status code after each request. If it gets a 429, it waits progressively longer before retrying — 1 second, then 2, then 4. This is called exponential backoff and it is the foundation of all rate limit handling. The real API at jsonplaceholder.typicode.com does not rate limit us in this case, so the request succeeds on the first try, but the retry logic is ready for when it matters.
Want to go deeper? Below we explain the different retry strategies, build a production-grade solution with the tenacity library, and create a reusable API client you can drop into any project.
What Are API Rate Limits and Why Do They Exist?
A rate limit is a restriction that an API server places on how many requests a client can make within a specific time window. When you exceed that limit, the server responds with HTTP status code 429 Too Many Requests instead of processing your request. This is not an error in your code — it is the API telling you to slow down.
APIs enforce rate limits for several practical reasons. First, they protect the server from being overwhelmed by a single client making thousands of requests per second. Second, they ensure fair usage — if one user monopolizes the server, other users get slow or no responses. Third, they manage infrastructure costs — every request costs the API provider compute time, bandwidth, and money. Most API documentation clearly states the rate limits, and many include rate limit headers in their responses so you can track your usage.
Here is how different APIs typically communicate their rate limits.
| Header | Meaning | Example |
|---|---|---|
X-RateLimit-Limit | Maximum requests allowed per window | 100 |
X-RateLimit-Remaining | Requests left in current window | 23 |
X-RateLimit-Reset | When the window resets (Unix timestamp) | 1710360000 |
Retry-After | Seconds to wait before retrying (on 429) | 30 |
The most important header is Retry-After — when an API sends a 429 response with this header, it is telling you exactly how long to wait. Always respect this value because the API knows when your rate limit window resets. If you keep hammering the server, some APIs will escalate to longer blocks or even ban your API key. Now let us build proper retry logic.
Building Retry Logic With Exponential Backoff
Exponential backoff means waiting longer after each failed attempt. Instead of retrying immediately (which would just get rate-limited again), you wait 1 second, then 2, then 4, then 8, and so on. This gives the API server time to recover and your rate limit window time to reset. Adding random jitter (a small random delay) prevents the “thundering herd” problem where multiple clients all retry at the exact same moment.
# exponential_backoff.py
import requests
import time
import random
def fetch_with_backoff(url, max_retries=5, base_delay=1):
"""Fetch a URL with exponential backoff and jitter."""
for attempt in range(max_retries):
try:
response = requests.get(url, timeout=10)
if response.status_code == 200:
return response.json()
if response.status_code == 429:
# Check for Retry-After header first
retry_after = response.headers.get("Retry-After")
if retry_after:
wait = int(retry_after)
print(f" Server says wait {wait}s (Retry-After header)")
else:
# Exponential backoff with jitter
wait = base_delay * (2 ** attempt) + random.uniform(0, 1)
print(f" Rate limited. Backing off {wait:.1f}s (attempt {attempt + 1})")
time.sleep(wait)
continue
if response.status_code >= 500:
# Server errors are also retryable
wait = base_delay * (2 ** attempt) + random.uniform(0, 1)
print(f" Server error {response.status_code}. Retrying in {wait:.1f}s")
time.sleep(wait)
continue
# Client errors (4xx except 429) should not be retried
response.raise_for_status()
except requests.exceptions.Timeout:
wait = base_delay * (2 ** attempt)
print(f" Timeout. Retrying in {wait}s (attempt {attempt + 1})")
time.sleep(wait)
except requests.exceptions.ConnectionError:
wait = base_delay * (2 ** attempt)
print(f" Connection failed. Retrying in {wait}s (attempt {attempt + 1})")
time.sleep(wait)
raise Exception(f"Failed after {max_retries} attempts")
# Test with a real API
print("Fetching user data...")
user = fetch_with_backoff("https://jsonplaceholder.typicode.com/users/1")
print(f"Name: {user['name']}")
print(f"Email: {user['email']}")
print(f"Company: {user['company']['name']}")Output:
Fetching user data...
Name: Leanne Graham
Email: Sincere@april.biz
Company: Romaguera-CronaThis function handles three categories of retryable failures: rate limits (429), server errors (500+), and network issues (timeouts and connection errors). The random.uniform(0, 1) adds jitter so that if you have 10 scripts running in parallel, they do not all retry at the exact same second and trigger another rate limit. Notice that we check for the Retry-After header first — if the server tells us how long to wait, we trust that over our own backoff calculation.
Production-Grade Retries With tenacity
Writing retry logic from scratch works, but the tenacity library makes it dramatically cleaner. It provides a @retry decorator that handles exponential backoff, jitter, conditional retries, and more — all in a single line. Install it with pip install tenacity.
# tenacity_example.py
import requests
from tenacity import (
retry,
stop_after_attempt,
wait_exponential,
retry_if_exception_type,
before_sleep_log,
)
import logging
# Set up logging to see retry activity
logging.basicConfig(level=logging.INFO)
logger = logging.getLogger(__name__)
@retry(
stop=stop_after_attempt(5), # Max 5 attempts
wait=wait_exponential(multiplier=1, max=30), # 1s, 2s, 4s, 8s... up to 30s
retry=retry_if_exception_type(requests.exceptions.RequestException),
before_sleep=before_sleep_log(logger, logging.WARNING),
)
def fetch_data(url):
"""Fetch data from an API with automatic retries."""
response = requests.get(url, timeout=10)
if response.status_code == 429:
raise requests.exceptions.RequestException(
f"Rate limited (429). Retry-After: {response.headers.get('Retry-After', 'unknown')}"
)
response.raise_for_status()
return response.json()
# Use it just like a normal function
print("Fetching posts...")
posts = fetch_data("https://jsonplaceholder.typicode.com/posts?_limit=3")
for post in posts:
print(f" [{post['id']}] {post['title'][:50]}...")Output:
Fetching posts...
[1] sunt aut facere repellat provident occaecati exc...
[2] qui est esse...
[3] ea molestias quasi exercitationem repellat qui i...The @retry decorator adds all the retry behavior without cluttering your function with loops and sleep calls. The stop_after_attempt(5) sets the maximum retries, wait_exponential(multiplier=1, max=30) implements exponential backoff capped at 30 seconds, and retry_if_exception_type ensures we only retry on network-related errors. The before_sleep_log callback logs each retry attempt so you can monitor what is happening in production. Your actual function stays clean — it just makes the request and raises if something goes wrong.
Custom Retry Conditions With tenacity
Sometimes you need more control over when to retry. The tenacity library lets you write custom retry conditions using callback functions. This is useful when you want to retry based on the response content, not just the HTTP status code.
# tenacity_custom.py
import requests
from tenacity import retry, stop_after_attempt, wait_exponential, retry_if_result
def is_rate_limited(response):
"""Return True if the response indicates rate limiting."""
if response is None:
return True
return response.status_code == 429 or response.status_code >= 500
@retry(
stop=stop_after_attempt(4),
wait=wait_exponential(multiplier=1, max=16),
retry=retry_if_result(is_rate_limited),
)
def make_api_call(url):
"""Make an API call, returning the response object."""
try:
response = requests.get(url, timeout=10)
if response.status_code == 429:
retry_after = response.headers.get("Retry-After")
print(f" 429 received. Retry-After: {retry_after}")
return response
except requests.exceptions.RequestException as e:
print(f" Network error: {e}")
return None
# Make the call — tenacity handles retries automatically
print("Making API call...")
response = make_api_call("https://httpbin.org/get")
if response and response.status_code == 200:
data = response.json()
print(f"Success! Origin: {data.get('origin', 'unknown')}")
print(f"Headers received: {len(data.get('headers', {}))}")
else:
print("All retries exhausted")Output:
Making API call...
Success! Origin: 203.0.113.42
Headers received: 5The retry_if_result condition is powerful because it lets you inspect the actual response, not just catch exceptions. The is_rate_limited() function returns True for 429 responses and server errors (500+), telling tenacity to retry. For successful responses (200-399) or client errors (400-499 except 429), it returns False and the function returns normally. This gives you fine-grained control over exactly which responses trigger a retry.
Respecting the Retry-After Header
Many well-designed APIs include a Retry-After header in their 429 responses. This header tells you exactly how many seconds to wait before your next request will be accepted. Always use this value when available — it is more accurate than your own backoff calculation because the API server knows when your rate limit window actually resets.
# retry_after.py
import requests
import time
def fetch_with_retry_after(url, max_retries=5):
"""Fetch a URL, respecting the Retry-After header."""
for attempt in range(max_retries):
response = requests.get(url, timeout=10)
if response.status_code == 200:
# Log rate limit headers if present
remaining = response.headers.get("X-RateLimit-Remaining")
limit = response.headers.get("X-RateLimit-Limit")
if remaining and limit:
print(f" Rate limit: {remaining}/{limit} requests remaining")
return response.json()
if response.status_code == 429:
retry_after = response.headers.get("Retry-After")
if retry_after:
# Retry-After can be seconds or an HTTP date
try:
wait = int(retry_after)
except ValueError:
# It's a date string — parse and calculate seconds
wait = 60 # Fallback
print(f" Rate limited. Server says wait {wait}s.")
else:
wait = 2 ** attempt # Fallback to exponential backoff
print(f" Rate limited. No Retry-After. Backing off {wait}s.")
time.sleep(wait)
continue
# Non-retryable error
response.raise_for_status()
raise Exception(f"Failed after {max_retries} attempts")
# Test with httpbin (won't actually rate limit, but demonstrates the pattern)
print("Fetching data with rate limit awareness...")
data = fetch_with_retry_after("https://httpbin.org/get")
print(f"Origin: {data.get('origin', 'unknown')}")Output:
Fetching data with rate limit awareness...
Origin: 203.0.113.42This function checks for rate limit headers on every successful response too — not just on 429s. The X-RateLimit-Remaining header tells you how many requests you have left in the current window. If you see this number getting low, you can proactively slow down your requests before hitting the limit. This is called proactive throttling and it is much better than waiting for 429 errors to react.
Proactive Request Throttling
Instead of waiting for rate limit errors and then reacting, you can throttle your requests proactively to stay under the limit. This approach is cleaner, faster, and more respectful to the API provider. The simplest way is to add a delay between requests, but a more sophisticated approach uses a token bucket or sliding window to allow bursts while maintaining an average rate.
# throttling.py
import requests
import time
class ThrottledClient:
"""An HTTP client that limits requests per second."""
def __init__(self, requests_per_second=5):
self.min_interval = 1.0 / requests_per_second
self.last_request_time = 0
def get(self, url, **kwargs):
"""Make a throttled GET request."""
# Calculate how long to wait
elapsed = time.time() - self.last_request_time
if elapsed < self.min_interval:
wait = self.min_interval - elapsed
time.sleep(wait)
self.last_request_time = time.time()
return requests.get(url, timeout=10, **kwargs)
# Demo: fetch 5 posts at a controlled rate
client = ThrottledClient(requests_per_second=2) # Max 2 requests/sec
print("Fetching posts with throttling (2 req/sec max):\n")
start = time.time()
for post_id in range(1, 6):
response = client.get(f"https://jsonplaceholder.typicode.com/posts/{post_id}")
data = response.json()
elapsed = time.time() - start
print(f" [{elapsed:5.2f}s] Post {post_id}: {data['title'][:40]}...")
total = time.time() - start
print(f"\nFetched 5 posts in {total:.2f}s (throttled to 2/sec)")Output:
Fetching posts with throttling (2 req/sec max):
[ 0.31s] Post 1: sunt aut facere repellat provident occ...
[ 0.82s] Post 2: qui est esse...
[ 1.33s] Post 3: ea molestias quasi exercitationem repel...
[ 1.82s] Post 4: eum et est occaecati...
[ 2.35s] Post 5: nesciunt quas odio...
Fetched 5 posts in 2.35s (throttled to 2/sec)The ThrottledClient class tracks when the last request was made and adds a delay if needed to maintain the target rate. With requests_per_second=2, it ensures at least 0.5 seconds between requests. This is much better than adding a flat time.sleep(0.5) after every request because it accounts for the actual time the request takes — if a request takes 0.3 seconds, it only sleeps for 0.2 more seconds. This maximizes throughput while staying within limits.
Using requests.Session With HTTPAdapter for Retries
The requests library has a built-in retry mechanism through the urllib3.Retry class and HTTPAdapter. This is useful when you want retry behavior on all requests made through a session without modifying each individual call.
# session_retry.py
import requests
from requests.adapters import HTTPAdapter
from urllib3.util.retry import Retry
def create_retry_session(
retries=3,
backoff_factor=1,
status_forcelist=(429, 500, 502, 503, 504),
):
"""Create a requests session with built-in retry logic."""
session = requests.Session()
retry_strategy = Retry(
total=retries,
backoff_factor=backoff_factor, # 1s, 2s, 4s between retries
status_forcelist=status_forcelist,
allowed_methods=["GET", "POST", "PUT", "DELETE"],
raise_on_status=False,
)
adapter = HTTPAdapter(max_retries=retry_strategy)
session.mount("https://", adapter)
session.mount("http://", adapter)
return session
# Create a session with retry logic baked in
session = create_retry_session(retries=3, backoff_factor=1)
# Now every request through this session has automatic retries
print("Fetching with retry session...")
response = session.get("https://jsonplaceholder.typicode.com/users/1")
user = response.json()
print(f"Name: {user['name']}")
print(f"Email: {user['email']}")
# Fetch multiple resources — all have retry protection
print("\nFetching comments...")
response = session.get("https://jsonplaceholder.typicode.com/posts/1/comments")
comments = response.json()
print(f"Found {len(comments)} comments on post 1")
for comment in comments[:2]:
print(f" - {comment['name'][:40]}...")Output:
Fetching with retry session...
Name: Leanne Graham
Email: Sincere@april.biz
Fetching comments...
Found 5 comments on post 1
- id labore ex et quam laborum...
- quo vero reiciendis velit similique ear...The HTTPAdapter approach is elegant because you configure retry behavior once on the session and it applies to every request automatically. The status_forcelist parameter specifies which HTTP status codes should trigger a retry — here we include 429 (rate limited) and the common server error codes (500-504). The backoff_factor=1 means retries happen at 1s, 2s, 4s intervals. This is the approach most production Python applications use because it requires zero changes to individual API calls.
Real-Life Example: Resilient API Data Fetcher
Let us build a complete, production-ready API client that combines everything we have covered: exponential backoff, Retry-After handling, proactive throttling, and comprehensive logging. This is a class you can drop into any project that needs to pull data from rate-limited APIs.
# resilient_api_client.py
import requests
from requests.adapters import HTTPAdapter
from urllib3.util.retry import Retry
import time
import random
class ResilientAPIClient:
"""A production-ready API client with rate limit handling."""
def __init__(self, base_url, requests_per_second=5, max_retries=5):
self.base_url = base_url.rstrip("/")
self.min_interval = 1.0 / requests_per_second
self.max_retries = max_retries
self.last_request_time = 0
self.request_count = 0
self.retry_count = 0
# Set up session with built-in retry for server errors
self.session = requests.Session()
retry_strategy = Retry(
total=2,
backoff_factor=0.5,
status_forcelist=(500, 502, 503, 504),
)
adapter = HTTPAdapter(max_retries=retry_strategy)
self.session.mount("https://", adapter)
self.session.mount("http://", adapter)
def _throttle(self):
"""Enforce rate limiting between requests."""
elapsed = time.time() - self.last_request_time
if elapsed < self.min_interval:
time.sleep(self.min_interval - elapsed)
self.last_request_time = time.time()
def get(self, endpoint, params=None):
"""Make a GET request with full retry and throttling."""
url = f"{self.base_url}/{endpoint.lstrip('/')}"
self._throttle()
for attempt in range(self.max_retries):
self.request_count += 1
response = self.session.get(url, params=params, timeout=15)
if response.status_code == 200:
return response.json()
if response.status_code == 429:
self.retry_count += 1
retry_after = response.headers.get("Retry-After")
if retry_after:
wait = int(retry_after) + random.uniform(0, 1)
else:
wait = (2 ** attempt) + random.uniform(0, 1)
print(f" [429] Rate limited on {endpoint}. Waiting {wait:.1f}s...")
time.sleep(wait)
continue
response.raise_for_status()
raise Exception(f"Failed to fetch {endpoint} after {self.max_retries} retries")
def get_stats(self):
"""Return usage statistics."""
return {
"total_requests": self.request_count,
"retries": self.retry_count,
"success_rate": f"{((self.request_count - self.retry_count) / max(self.request_count, 1)) * 100:.1f}%",
}
# --- Demo: Fetch data from JSONPlaceholder API ---
if __name__ == "__main__":
client = ResilientAPIClient(
base_url="https://jsonplaceholder.typicode.com",
requests_per_second=3,
max_retries=5,
)
print("=== Resilient API Client Demo ===\n")
# Fetch multiple users
print("Fetching users...")
users = client.get("/users")
for user in users[:3]:
print(f" {user['name']} ({user['email']})")
# Fetch posts for a user
print(f"\nFetching posts for user 1...")
posts = client.get("/posts", params={"userId": 1})
print(f" Found {len(posts)} posts")
for post in posts[:3]:
print(f" [{post['id']}] {post['title'][:45]}...")
# Fetch comments on first post
print(f"\nFetching comments on post 1...")
comments = client.get("/posts/1/comments")
print(f" Found {len(comments)} comments")
# Fetch todos
print(f"\nFetching todos...")
todos = client.get("/todos", params={"userId": 1, "_limit": 5})
completed = sum(1 for t in todos if t["completed"])
print(f" {completed}/{len(todos)} completed")
# Print stats
stats = client.get_stats()
print(f"\n=== Client Stats ===")
print(f" Total requests: {stats['total_requests']}")
print(f" Retries: {stats['retries']}")
print(f" Success rate: {stats['success_rate']}")Output:
=== Resilient API Client Demo ===
Fetching users...
Leanne Graham (Sincere@april.biz)
Ervin Howell (Shanna@melissa.tv)
Clementine Bauch (Nathan@yesenia.net)
Fetching posts for user 1...
Found 10 posts
[1] sunt aut facere repellat provident occaec...
[2] qui est esse...
[3] ea molestias quasi exercitationem repella...
Fetching comments on post 1...
Found 5 comments
Fetching todos...
2/5 completed
=== Client Stats ===
Total requests: 4
Retries: 0
Success rate: 100.0%This ResilientAPIClient class is designed for real-world use. It combines proactive throttling (the _throttle method ensures you never exceed your target rate), reactive retry logic (exponential backoff with jitter on 429 responses), and built-in statistics tracking. The session-level HTTPAdapter handles server errors (500s) automatically, while the manual retry loop in get() handles rate limits specifically. You can extend this class with authentication headers, POST/PUT methods, pagination support, or async capabilities using aiohttp for higher throughput.
Frequently Asked Questions
How many retries should I set?
Three to five retries is the standard range for most APIs. With exponential backoff starting at 1 second, five retries means a maximum total wait of about 31 seconds (1 + 2 + 4 + 8 + 16). If an API is still rate-limiting you after 30 seconds of waiting, either your rate is far too high or the API is experiencing an outage. For batch processing jobs that can tolerate longer waits, you might go up to 7-10 retries with a backoff cap of 60 seconds.
What is jitter and why does it matter?
Jitter adds a small random delay to your backoff interval. Without it, if 100 clients all get rate-limited at the same time, they will all retry at exactly 1 second, get limited again, retry at 2 seconds, and so on — creating synchronized waves of traffic. Adding random.uniform(0, 1) spreads out the retries so not everyone hits the server at the same instant. This is especially important in distributed systems where multiple workers or servers are calling the same API.
What is the difference between 429 and 503 errors?
A 429 Too Many Requests means you specifically have exceeded your rate limit — the server is healthy but refusing your requests because you are making too many. A 503 Service Unavailable means the server itself is overloaded or down for maintenance — it is not specific to you. Both are retryable, but 429 usually comes with a Retry-After header telling you exactly when to try again, while 503 is more unpredictable. Treat 429 as "slow down" and 503 as "try again later."
Can I use retry logic with async/await?
Yes. The tenacity library works with async functions out of the box — just decorate your async def function with @retry and it handles everything. For the requests session approach, switch to aiohttp which is the async equivalent. You can also use asyncio.sleep() instead of time.sleep() in your manual retry loops so the event loop can process other tasks during the backoff period.
How do I handle rate limits for multiple different APIs?
Create separate client instances for each API, each with its own rate limit configuration. For example, if the GitHub API allows 5,000 requests per hour and a weather API allows 60 requests per minute, create two ResilientAPIClient instances with different requests_per_second values. This keeps each API's rate limiting independent and prevents one slow API from blocking requests to another.
How do I test retry logic without hitting a real API?
Use the responses library (pip install responses) or unittest.mock to mock HTTP responses. You can simulate a sequence of 429 → 429 → 200 responses to verify your backoff logic works correctly. For integration testing, httpbin.org/status/429 returns a real 429 response that you can use to test your retry handling against an actual HTTP server.
Conclusion
You now have a complete toolkit for handling API rate limits in Python. We covered the fundamentals of what rate limits are and why APIs use them, built retry logic with exponential backoff and jitter from scratch, used the tenacity library for clean decorator-based retries, learned to respect the Retry-After header, implemented proactive request throttling, configured the requests session with HTTPAdapter for automatic retries, and built a production-ready ResilientAPIClient class that combines all these techniques.
Try extending the ResilientAPIClient with authentication support, pagination handling, or aiohttp integration for async requests. These are the natural next steps when building data pipelines or API integrations that need to be both fast and reliable.
For more on the retry patterns covered here, the tenacity documentation is an excellent reference. The requests library documentation covers session management and adapters in detail.