# Rate Limits

{% hint style="warning" %}
**The ER:LC API does not officially support bot hosting services, like Bot Ghost.**

Services like BotGhost host many apps under the same IP, leading to frequent rate limits. It's best you do not use BotGhost when using the ER:LC API.
{% endhint %}

## Definitions

On this page,&#x20;

**Application** means an application (such as a Discord bot or website) with access to the PRC API. Each application is uniquly identified via their application key, provided in the Authorization header.

**Server** means a private server. Each server is uniquely identified with with the server key, provided via the Server-Key header.

## Global Rate Limit

Each application is limited to a set number of requests per second - **rate limits may vary per application and server! You should use the provided headers on each request to dynamically adjust your rate limits**.

Rate Limits apply per-IP by default, large apps may have a *global API key* which allows for larger rate-limits and internal tracking.

## Per-Route Rate Limit

Per-Route Rate Limits may be added to routes that are more intensive or subject to abuse. Rate Limits that differentiate from the global limit are identified via the `X-RateLimit-Bucket` header.&#x20;

For example, the POST route to send a command to an ER:LC server has a limit of 1 request per 5 seconds\* (subject to change), this is identified via the X-RateLimit-Bucket header being set to `command-[Server-Key]`.

## Headers

For most standard API requests, we attach standard rate limit headers:

**Please keep in mind the example values in this table are EXAMPLES - you should NOT hardcode rate limit data into your application!**

| Header                | Example Value       | Description                                                         |
| --------------------- | ------------------- | ------------------------------------------------------------------- |
| X-RateLimit-Bucket    | global              | Which rate limit bucket the request was subject to                  |
| X-RateLimit-Limit     | 35                  | The number of requests that can be made to this bucket before a 429 |
| X-RateLimit-Remaining | 34                  | The number of remaining requests that can be made                   |
| X-RateLimit-Reset     | \*Epoch Timestamp\* | Epoch timestamp when the rate limit resets                          |

## Being Rate Limited

When you exceed a rate limit, you will be met with a 429 HTTP Response code and a request body with a message, time to retry\_after in seconds, and which bucket you have hit.

Normal rate limit headers (described above) will also be included.

## Repeat Offender Rate Limits

Applications that continually send requests to the API after being sent 429s may be blocked for longer durations of time. It is very important that you respect the retry after headers and request body when you receive a HTTP 429 response.

### CloudFlare Bans for API Abuse

Applications that regularly fail to respect our rate limits and repeat offender limits will be automatically blocked from our API via Cloudflare.

If you are seeing a Cloudflare block page, you should contact us via an API Ticket in the PRC Discord.

## Invalid Requests

Applications that send requests to invalid server-keys will be permanently blocked via IP if they continually send invalid requests over the period of several days.

**As a best practice, if you receive a 403 error several times, stop using that server-key as it has likely been regenerated by the server's owner.**