Rate Limits & Best Practices

Understanding and respecting API rate limits ensures reliable, high-performance integrations that scale with your prop firm’s growth.

Rate Limit Overview

Tradovate implements multiple layers of rate limiting to ensure fair usage and maintain system stability for all partners.

Rate Limit Types

Standard Rate Limits

REST API Endpoints:

General Endpoints:     * 1,000 requests/second 
                       * 5000 requests/minute
                       * 5000 requests/hour
Authentication:        10 requests/minute
Reporting:             200 requests/minute

Rate Limit Response Format

When limits are exceeded, you receive:

HTTP Response:

1
HTTP/1.1 429 Too Many Requests
2
Content-Length: 0

WebSocket Response:

1
[{"s": 429, "i": "request_id"}]

Handling Penalty Tickets (P-Tickets)

When you exceed rate limits on certain endpoints, the system may return a penalty ticket instead of a simple 429 response. This requires you to wait for a specified time before retrying.

Penalty Ticket Response Format

When a penalty ticket is issued, you receive:

1
{
2
  "p-ticket": "encrypted_penalty_token_here",
3
  "p-time": 60,
4
  "p-captcha": true
5
}

Response Fields:

• p-ticket: Encrypted penalty token tied to your IP address
• p-time: Penalty duration in seconds
• p-captcha: Whether reCAPTCHA verification is required (optional field)

Handling Penalty Tickets

1
interface PenaltyTicket {
2
  'p-ticket': string;
3
  'p-time': number;
4
  'p-captcha'?: boolean;
5
}
6
7
class PenaltyTicketHandler {
8
  private penaltyTicket: PenaltyTicket | null = null;
9
  private penaltyEndTime: number = 0;
10
11
  async makeRequest(url: string, body: any): Promise<Response> {
12
    // Wait for penalty period if active
13
    if (this.isPenaltyActive()) {
14
      const waitTime = this.penaltyEndTime - Date.now();
15
      if (waitTime > 0) {
16
        console.log(`Penalty active, waiting ${waitTime}ms...`);
17
        await this.sleep(waitTime);
18
      }
19
      this.clearPenalty();
20
    }
21
22
    // Include penalty ticket in request if available
23
    const requestBody = this.penaltyTicket 
24
      ? { ...body, ...this.penaltyTicket }
25
      : body;
26
27
    const response = await fetch(url, {
28
      method: 'POST',
29
      headers: {
30
        'Content-Type': 'application/json',
31
        'Authorization': `Bearer ${this.accessToken}`
32
      },
33
      body: JSON.stringify(requestBody)
34
    });
35
36
    // Handle penalty ticket response
37
    if (response.ok) {
38
      const data = await response.json();
39
      if (this.isPenaltyTicketResponse(data)) {
40
        this.handlePenaltyTicket(data);
41
        throw new Error(`Rate limit penalty: wait ${data['p-time']} seconds`);
42
      }
43
      return response;
44
    }
45
46
    throw new Error(`HTTP ${response.status}: ${response.statusText}`);
47
  }
48
49
  private isPenaltyTicketResponse(data: any): data is PenaltyTicket {
50
    return data && typeof data['p-ticket'] === 'string' && typeof data['p-time'] === 'number';
51
  }
52
53
  private handlePenaltyTicket(ticket: PenaltyTicket): void {
54
    this.penaltyTicket = ticket;
55
    this.penaltyEndTime = Date.now() + (ticket['p-time'] * 1000);
56
    
57
    if (ticket['p-captcha']) {
58
      console.warn('reCAPTCHA verification required for penalty ticket');
59
      // Handle reCAPTCHA requirement - see next section
60
    }
61
  }
62
63
  private isPenaltyActive(): boolean {
64
    return this.penaltyEndTime > Date.now();
65
  }
66
67
  private clearPenalty(): void {
68
    this.penaltyTicket = null;
69
    this.penaltyEndTime = 0;
70
  }
71
72
  private sleep(ms: number): Promise<void> {
73
    return new Promise(resolve => setTimeout(resolve, ms));
74
  }
75
}

reCAPTCHA Rate Limiting (423 Response)

For severe rate limit violations, especially repeated failed authentication attempts, the system may require reCAPTCHA verification and impose extended lockout periods.

reCAPTCHA Response Format

When reCAPTCHA is required, you receive:

HTTP/1.1 423 Locked
Content-Type: text/plain
ReCaptcha needed. Please install the latest version of the application

Authentication Failure Lockout

Critical: When you receive a 423 response after failed authentication attempts:

1. Stop all API calls immediately for 1 hour
2. Do not retry authentication during the lockout period
3. After 1 hour, retry with valid credentials

Best Practices for reCAPTCHA Lockouts

Critical Guidelines:

• Immediate Cessation: Stop all API calls when receiving 423 responses
• Wait Full Duration: Respect the 1-hour lockout period completely
• Monitor Failed Attempts: Track authentication failures to prevent lockouts
• Valid Credentials Only: Only retry with confirmed correct credentials
• User Notification: Inform users about lockout periods and duration

Critical Warnings

Best Practices Summary

Do’s ✅

1. Implement exponential backoff for retries
2. Cache responses appropriately
3. Use batch endpoints when available
4. Prioritize critical requests (orders, risk management)
5. Set up monitoring and alerting for rate limit usage
6. Use connection pooling for HTTP clients
7. Respect Retry-After headers

Don’ts ❌

1. Don’t ignore 429 responses - always implement retry logic
2. Don’t make unnecessary API calls - cache when possible
3. Don’t exceed rate limits consistently - this may result in temporary blocks
4. Don’t implement infinite retry loops - set maximum retry attempts
5. Don’t skip authentication rate limits - these are stricter
6. Don’t make blocking calls in high-frequency operations

Requesting Higher Limits

For high-volume integrations, you can request increased rate limits:

Eligibility Criteria

• Established partnership with proven integration
• Proper rate limit handling implemented
• Business justification for higher limits
• Technical review of integration architecture