Rate Limits

Understanding and respecting API rate limits ensures reliable, high-performance integrations that scale with your prop firm’s growth.

Rate Limit Overview

The Tradovate API implements a two-tier rate limiting system:

User-Level Limits: Applied per user (by user ID) across all endpoints
Endpoint-Level Limits: Applied per IP address for specific endpoints

When an endpoint rate limit is exceeded, the user must wait the amount of seconds specified in the p-time before making another request of the same type.

Considerations

Two-tier rate limiting: Both user-level limits (based on authentication) and endpoint-level limits apply simultaneously. Your requests must respect both.
Sliding time window: Endpoint limits use a rolling 1-hour window, not a fixed hourly reset.
Shared IP limits: Endpoint limits are tracked by IP address. If you’re behind a shared IP (corporate network, VPN, shared hosting), you may share limits with other clients.
Back-off behavior: Repeated violations may extend the required wait time before you can retry.
Request counting: Some endpoints count all requests toward the limit, while others only count failed requests. See the “Count Success” column in each table.

User-Level Rate Limits

User Type	Per Hour	Per Minute	Per Second
Anonymous	1,000	1,000	100
Authenticated	5,000	5,000	5,000

Endpoint-Level Rate Limits

Note: The count success column means that the limit is counted on both successful and non-successful calls to the endpoint.

Note: Endpoints showing “n/a” do not have specific endpoint-level limits. They follow the standard user-level rate limits.

Authentication Endpoints

Endpoint	Limit/Hour	Back-off (sec)	Count Success
`accesstokenrequest`	5	15	No
`renewaccesstoken`	15	15	Yes
`me`	10	30	No

User Management Endpoints

Endpoint	Limit/Hour	Back-off (sec)	Count Success
`createevaluationusers`	100	1	No
`createevaluationaccounts`	100	1	No
`canceleverything`	n/a	n/a	n/a
`syncrequest`	300	3	Yes

Trading Permission Endpoints

Endpoint	Limit/Hour	Back-off (sec)	Count Success
`requesttradingpermission`	20	2	No
`revoketradingpermission`	n/a	n/a	n/a
`revoketradingpermissions`	n/a	n/a	n/a

Account & Risk Management Endpoints

Endpoint	Limit/Hour	Back-off (sec)	Count Success
`resetdemoaccountstate`	n/a	n/a	n/a
`switchriskcategory`	5,000	1	Yes
`setadminautoliqaction`	n/a	n/a	n/a
`updatemaxnetliq`	n/a	n/a	n/a
`useraccountautoliq/update`	n/a	n/a	n/a
`setdemohalt`	20	5	Yes
`changedemobalance`	1,000	10	Yes

Subscription & Entitlement Endpoints

Endpoint	Limit/Hour	Back-off (sec)	Count Success
`addmarketdatasubscription`	n/a	n/a	n/a
`addtradovatesubscription`	n/a	n/a	n/a
`addentitlementsubscription`	n/a	n/a	n/a

Admin Alert Endpoints

Endpoint	Limit/Hour	Back-off (sec)	Count Success
`adminalertsignal/deps`	n/a	n/a	n/a
`adminalertsignal/completealertsignal`	n/a	n/a	n/a

Contact Info Endpoints

Endpoint	Limit/Hour	Back-off (sec)	Count Success
`contactinfo/updatecontactinfo`	n/a	n/a	n/a

Rate Limit Responses

User-Level Rate Limits Exceeded (429 Response)

For general rate limit violations, when a limit is reached, the server stops handling requests for a period of time and responds to each new request with a 429 status code.

HTTP Response

1 HTTP/1.1 429 Too Many Requests
2 Content-Length: 0

WebSocket Response

1 [{"s": 429, "i": "request_id"}]

Handling 429 Responses

Wait 1 hour before sending another request
Cannot be resolved programmatically from third-party applications

Endpoint-Level Rate Limits Exceeded (Penalty Ticket)

For endpoint-level rate limit violations, the system may return a penalty ticket (p-ticket) returned in successful HTTP responses (200 OK), not as 429 errors. When you receive a penalty ticket, the request was not handled and the server has imposed a time penalty.

p-ticket: Encrypted penalty token tied to your IP address - must be included as an additional parameter in the request body’s JSON when retrying
p-time: Penalty duration in seconds - wait this long before retrying the call
p-captcha: Whether reCAPTCHA verification is required (optional field) - when true, the operation cannot be tried again from a third party application and users should be alerted that they should try the operation again in an hour

HTTP Response

1 {
2     "p-ticket": "encrypted_ticket_string",
3     "p-time": 15,
4     "p-captcha": true
5 }

WebSocket Response

a[{"s":200,"i":"42","d":{"p-ticket":"abc123xyz","p-time":15}}]

Handling Penalty Tickets (P-Tickets)

When you receive a penalty ticket response:

Check for p-captcha: If true, stop immediately and inform users to retry in 1 hour (cannot be resolved programmatically from third-party applications)
Wait p-time seconds: The client can retry the call in p-time seconds
Retry with p-ticket: Include p-ticket as an additional parameter in the request body’s JSON along with your original request data

Note: One scenario where p-captcha: true can occur is upon too many authentication requests with sent bad data (incorrect username or password).

Authentication Failures: Multiple failed login attempts will trigger increasingly severe rate limits, potentially leading to reCAPTCHA requirements that cannot be bypassed programmatically.

1 const waitForMs = (ms) => {
2   return new Promise((resolve) => {
3     setTimeout(() => {
4       resolve();
5     }, ms);
6   });
7 };
8 
9 const handleRetry = async (data, json) => {
10   const ticket = json['p-ticket'];
11   const time = json['p-time'];
12   const captcha = json['p-captcha'];
13 
14   if (captcha) {
15     console.error('Captcha present, cannot retry auth request via third party application. Please try again in 1 hour.');
16     return;
17   }
18 
19   console.log(`Time Penalty present. Retrying operation in ${time}s`);
20 
21   await waitForMs(time * 1000);
22   
23   // Retry with original data plus p-ticket
24   await makeRequest({ ...data, 'p-ticket': ticket });
25 };
26 
27 const connect = async (data) => {
28   const authResponse = await tvPost('/auth/accesstokenrequest', data, false);
29 
30   // Check for penalty ticket in response body
31   if (authResponse['p-ticket']) {
32     return await handleRetry(data, authResponse);
33   }
34 
35   // Process successful response
36   const { accessToken, expirationTime } = authResponse;
37   setAccessToken(accessToken, expirationTime);
38 };

Rate Limits Best Practices

Do’s ✅

Check response bodies for penalty tickets - Even successful (200 OK) responses may contain p-ticket fields
Wait the full p-time duration before retrying penalty ticket requests
Include p-ticket in retry requests - Add it to the original request body when retrying
Check p-captcha first - Always verify this field before attempting retries
Cache responses appropriately to reduce API calls
Use batch endpoints when available
Prioritize critical requests (orders, risk management)
Set up monitoring and alerting for rate limit usage
Handle authentication failures gracefully - Track failed attempts to prevent lockouts

Don’ts ❌

Don’t ignore penalty tickets - Always check response bodies for p-ticket fields, even on successful responses
Don’t retry when p-captcha: true - Stop immediately and inform users to wait 1 hour
Don’t retry before waiting p-time seconds - Respect the full penalty duration
Don’t forget to include p-ticket - The retry request must include the penalty ticket
Don’t make unnecessary API calls - Cache when possible to avoid hitting limits
Don’t exceed rate limits consistently - This may result in temporary blocks or reCAPTCHA requirements
Don’t implement infinite retry loops - Set maximum retry attempts
Don’t skip authentication rate limits - These are stricter and may trigger reCAPTCHA

Requesting Higher Limits

For high-volume integrations, you can request increased rate limits:

Eligibility Criteria

Established partnership with proven integration
Proper rate limit handling implemented
Business justification for higher limits
Technical review of integration architecture

Support

Need help with rate limiting?

Partner Success Team - Rate limit increase requests
Support Center - Troubleshooting guides