docs

Security

Rate Limits

The SCAYLE Checkout API employs strict, IP-based rate limiting to ensure platform stability and protect your business operations and customer data against malicious activities.

Different endpoints have specific thresholds tailored to the types of automated abuse they attract, for example:

  • Authentication endpoints (logins, registrations): rate limits prevent credential stuffing, brute-force attacks, and account takeovers.
  • Catalog and product endpoints: rate limits prevent automated product scraping and inventory hoarding.
  • Voucher and gift card endpoints: rate limits prevent voucher enumeration and fraud.
  • Checkout and state endpoints: rate limits protect against volumetric abuse, bot-driven scalping, and system overloads.

Key Technical Details

  • Evaluation: rate limits are tracked and evaluated per client IP address (ip.src).
  • Whitelisted IPs: if your backend servers, office networks, or testing environments operate on IP addresses that are already whitelisted with SCAYLE, those IPs are exempt from these limits and won't be blocked. If that's not the case, reach out to your SCAYLE Account Manager to adjust the whitelist.
  • Mitigation: if a client IP address exceeds the allowed threshold, it is temporarily blocked from accessing the targeted endpoint for a predefined duration.

Under normal, human-driven interactions, legitimate customers won't trigger these blocks.

Specific Thresholds and Load Testing

For security reasons, exact request thresholds and endpoint-specific limits are not publicly disclosed.

If you're planning to conduct automated load testing, performance testing, or have specific questions about the thresholds for your integration, reach out to your SCAYLE Account Manager in advance to coordinate.

Rate Limit Responses

Depending on the endpoint targeted, the API returns different HTTP status codes when an IP is blocked due to rate limiting.

Standard Endpoints

When a rate limit is exceeded on standard endpoints (Checkout, state, vouchers, etc.), the API returns an HTTP 429 Too Many Requests or 403 Forbidden status code.

Authentication and Login Endpoints

To obscure the status of authentication endpoints from potential attackers during a block, the API drops the request and returns an HTTP 404 Resource Not Found status code instead of a traditional rate-limit response.

The response mirrors the application's native status code and response payload, ensuring attackers can't distinguish a rate-limit block from a standard application error.

Next up
Get checkout configurations