DevArbor
4xx Client Error

429 Too Many Requests

What it means

Rate limiting has kicked in — the client is making requests too quickly. The server should include a Retry-After header indicating when the client can try again. This protects services from abuse, DoS attacks, and accidental hammering.

Site Visitor

What can I do?

  • Wait a moment and try again. If this happens frequently, there may be an issue with the site.
  • If the problem persists after retrying, contact the site owner.
Developer

How to debug & fix

  1. Always include Retry-After header (seconds or HTTP date)
  2. Implement exponential backoff in API clients
  3. Differentiate global rate limits from per-user limits in your response
  4. Consider returning X-RateLimit-Limit and X-RateLimit-Remaining headers
  5. Include X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-Reset headers alongside Retry-After.
  6. Implement exponential backoff with jitter in all API client code.

Code Example

Node.js / Express
const rateLimit = require('express-rate-limit');
app.use(rateLimit({
  windowMs: 60 * 1000, // 1 minute
  max: 100,
  standardHeaders: true,
  legacyHeaders: false,
  handler: (req, res) => {
    res.status(429).json({
      error: 'Too Many Requests',
      retryAfter: 60
    });
  }
}));

Related Status Codes

503 Service Unavailable 408 Request Timeout

How HTTP Status Codes Work

Every HTTP response carries a three-digit status code that tells the client — browser, API consumer, or search-engine crawler — exactly what happened. The first digit defines the class: 1xx informational (request in progress), 2xx success, 3xx redirection, 4xx client error (bad request, missing auth, not found), and 5xx server failure.

Status codes are standardised in RFC 9110 (HTTP Semantics, 2022). Extensions like WebDAV (RFC 4918) and rate-limit headers (RFC 6585) added codes beyond the core set. When a client receives an unrecognised code, the rule is to treat it as the generic x00 of its class.

Why the Right Code Matters

Semantically correct codes help search engines index accurately (301 passes link equity; 410 removes pages faster than 404), allow API clients to implement correct retry logic (429 + Retry-After, 503 + Retry-After), and let monitoring systems distinguish bugs (500) from load issues (503) from auth failures (401/403).

Looking up a different status code? The full reference covers all HTTP codes with causes, fix guides, and copyable code examples for Node.js and Python.

Browse the full HTTP Status Code reference →

Frequently Asked Questions

What does HTTP 429 Too Many Requests mean?
Rate limiting has kicked in — the client is making requests too quickly. The server should include a Retry-After header indicating when the client can try again. This protects services from abuse, DoS attacks, and accidental hammering.
Is HTTP 429 the visitor's fault?
HTTP 429 Too Many Requests is generally a client-side error, meaning the request itself has an issue. However, many causes — such as a broken link on the site or a misconfigured redirect — are the website owner's responsibility, not the visitor's.
How do I fix HTTP 429 Too Many Requests?
As a visitor: check the URL for typos, go to the homepage, or search for the content. As a developer: always include Retry-After header (seconds or HTTP date).