Overview

In addition to the default rate limit applied per linked account, Merge enforces a global rate limit to protect our API from malicious scanning. The limit triggers when more than 20 requests from a single IP in a rolling 10 second window fail with an error status code — any response of 400 or higher, excluding 429 itself.

How do I avoid hitting the global rate limit?

• Implement a backoff strategy — when you start receiving error responses, slow down subsequent requests so the total number of failing calls stays below 20 per 10 second window from a single IP.

• Monitor error responses — track 4xx and 5xx status codes so a misconfigured client doesn't generate a burst of failing requests against the same IP.

• Fix the underlying error first — repeated errors that aren't 429 still count toward the global limit, so resolving the root cause (auth, payload, endpoint) is more effective than retrying.

Note: 429 responses themselves are excluded from the count, but every other error status code (400, 401, 403, 404, 500, etc.) contributes toward the global rate-limit threshold.

Who should I contact for help?

If you believe you're hitting the global rate limit unexpectedly or need help designing a backoff strategy, reach out to us at [email protected].