Ratelimiting and Client Errors

The StackHawk API is available for users and organizations with the access to use it. Nonetheless, SpiderMan rules apply, and errors may occur.

Rate Limiting

API requests are rate-limited, with at most 360 requests per minute.
Some routes (such as the Login with API Key endpoint) may have lower limits. Users that exceed those limits will be served a 429 http response code.


don't be a jabroni

StackHawk would like to remind users and ethical hackers that denial of service attacks are not cool, and access to the API or platform will be rescinded for violations of the terms of service.

Client Errors

API Calls that fail due to client input will return 4xx status code.

400 Bad Request

The server could not process this request, although it may have tried.
The JSON response body message will include details on what input was invalid.

401 Unauthorized

The server doesn't think you should be making this request.

This error is intentionally vague for security purposes, but any of the following could cause it:

  • no authorization was provided
  • authorization has expired
  • authorization is insufficient for the requested resource

404 Not Found

The route or resource does not exist.

429 Too Many Requests

The server thinks you've made enough requests for now.

Users can retry the requests again later.