Rate Limits & Plans
PayzCore enforces burst rate limits (per-IP, per-API-key) and daily plan-based limits. Free plan: 500 API calls/day, Pro plan: 25,000/day. Daily counters reset at midnight UTC.
Rate Limits & Plans
PayzCore enforces rate limits at two levels: burst limits to prevent abuse and daily plan-based limits tied to your subscription. Understanding both is essential for building reliable integrations.
Plans
| Free | Pro ($29/mo) | |
|---|---|---|
| Projects | 2 | 5 |
| Wallets | 2 | 5 |
| API calls/day | 500 | 25,000 |
| Webhooks/day | 100 | 10,000 |
| Telegram notifications/day | 100 | 10,000 |
New accounts start on the Free plan. Project and wallet limits are enforced at creation time — if you downgrade from Pro to Free, existing projects and wallets continue to work, but you cannot create new ones until you are below the Free limit.
Burst Rate Limits
Burst limits protect against accidental loops, runaway scripts, and abuse. They operate on short sliding windows.
Per-API-key limit
| Limit | Window |
|---|---|
| 60 requests | 1 minute |
Every request authenticated with x-api-key counts against this limit. When exceeded, the API returns HTTP 429:
{
"error": "Rate limit exceeded. Try again later."
}With response headers:
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 0
X-RateLimit-Reset: 1739975400Per-IP limit
| Limit | Window |
|---|---|
| 30 requests | 1 minute |
Unauthenticated endpoints (login, registration, health check) are rate-limited by IP address.
Other burst limits
| Endpoint | Limit | Window |
|---|---|---|
| Login (per email) | 10 | 1 minute |
| Login (per IP) | 20 | 15 minutes |
| Registration (per email) | 3 | 1 hour |
| Email resend (per email) | 3 | 15 minutes |
| TOTP verification (per user) | 10 | 15 minutes |
| Password reset (per email) | 3 | 1 hour |
These limits apply to the dashboard authentication flow, not to the project API.
Daily Plan Limits
Daily limits are tied to the project owner's plan. If you own multiple projects, all API calls across all your projects share the same daily quota.
API calls per day
| Plan | Daily Limit |
|---|---|
| Free | 500 |
| Pro | 25,000 |
Every successful API call (POST, GET) to /api/v1/* endpoints counts against this limit, with one exception:
GET /api/v1/config does not count against your daily API call limit. This endpoint returns your project's available chains and tokens. It is exempt so that plugins and integrations can fetch configuration freely without consuming your quota.
Webhooks per day
| Plan | Daily Limit |
|---|---|
| Free | 100 |
| Pro | 10,000 |
Each webhook dispatched to your server counts against this limit. Failed webhooks that are retried count each attempt separately.
Telegram notifications per day
| Plan | Daily Limit |
|---|---|
| Free | 100 |
| Pro | 10,000 |
Each Telegram notification sent to your linked account counts against this limit.
When daily limits are exceeded
When you hit your daily API call limit, the API returns HTTP 429 with a specific set of headers:
{
"error": "Daily API call limit exceeded. Upgrade your plan for unlimited access.",
"limit": 500,
"plan": "free"
}Response headers:
X-RateLimit-Limit: 500
X-RateLimit-Remaining: 0
X-RateLimit-Reset: 1740009600
X-RateLimit-Daily: trueThe X-RateLimit-Daily: true header distinguishes a daily limit from a burst limit. This is important for your retry logic:
- Burst limit (
X-RateLimit-Dailyabsent): Wait a few seconds and retry - Daily limit (
X-RateLimit-Daily: true): Do not retry until after midnight UTC
When the daily webhook limit is exceeded, webhooks are silently dropped (not queued for later). Monitor your usage in the dashboard to avoid missing notifications.
Daily Counter Reset
All daily counters reset at midnight UTC (00:00:00 UTC). The X-RateLimit-Reset header in a daily limit response contains the Unix timestamp of the next midnight UTC.
Counters are tracked per user, not per project. If you own three projects, the API calls from all three projects count toward your single daily quota.
Checking Your Remaining Quota
Every API response includes rate limit headers when a limit is approaching:
| Header | Description |
|---|---|
X-RateLimit-Limit | Maximum allowed requests for this window |
X-RateLimit-Remaining | Requests remaining before the limit is hit |
X-RateLimit-Reset | Unix timestamp (seconds) when the limit resets |
X-RateLimit-Daily | Present and set to true only for daily limit responses |
You can monitor these headers to implement proactive backoff in your integration. For example, if X-RateLimit-Remaining drops below 10% of X-RateLimit-Limit, slow down your request rate.
Admin Custom Overrides
Account administrators can set custom limits for individual users that override the plan defaults. Custom overrides are set per-field, so an admin can increase your API call limit without changing your webhook limit.
Overridable fields:
- Maximum projects
- Maximum wallets
- API calls per day
- Webhooks per day
- Telegram notifications per day
If a custom override is set, it takes precedence over the plan default. If it is removed, the plan default applies again.
Custom overrides are visible in the admin panel but not exposed to end users via API. If you need higher limits, contact your account administrator.
Upgrading Your Plan
To increase your limits, upgrade to the Pro plan:
- Log in to the dashboard at app.payzcore.com
- Navigate to Billing in the sidebar
- Select your preferred blockchain (TRC20, BEP20, etc.)
- Send the subscription amount in USDT to the displayed address
- Your plan upgrades automatically once the payment is confirmed on-chain
Pro plan benefits take effect immediately upon payment confirmation. Daily counters for the current day are not reset — the new higher limit simply replaces the old one.
Best Practices
-
Cache responses where possible. If you poll
GET /api/v1/payments/:idfor status, use reasonable intervals (every 30-60 seconds, not every second). -
Use webhooks instead of polling. Webhooks notify you when a payment status changes, eliminating the need for constant polling and saving API calls.
-
Implement exponential backoff. When you receive a
429response, back off exponentially rather than retrying immediately. -
Monitor the
X-RateLimit-Remainingheader. Proactively reduce request rate when you are approaching the limit. -
Use
GET /api/v1/configfreely. This endpoint is exempt from daily limits, so plugins can call it on every admin page load without concern. -
Batch operations where possible. Creating one payment with proper metadata is better than creating multiple test payments.
-
Separate environments. Use different projects (and API keys) for development and production to avoid development traffic consuming your production quota.