Rate Limits & Tiers - VantaPrism API

Tiers

Every API key belongs to one of three tiers. Your tier determines your rate limits, row caps, query-window, daily cost budget, and which scopes (endpoint groups) you can access.

	`free`	`pro`	`ultra`
Requests / minute (`rpm`)	30	300	1,200
Requests / day (`rpd`)	1,000	50,000	1,000,000
Max batch size (`max_batch`)	10	100	500
Max rows per response (`max_rows`)	25	100	500
Query window (`query_window_days`)	90 days	365 days	unlimited
Max concurrent requests	2	10	50
Aggregation requests / minute (`agg_per_min`)	5	60	240
Daily cost-unit budget (`cost_per_day`)	5,000	250,000	unlimited

“Aggregation” requests are endpoints whose response is computed by scanning/grouping rather than returning raw rows — domain/overview, domain/assets, domain/third-party-risk, search/infection-analysis, search/categorize-domains, search/keyword, and all stats/* endpoints. These count against agg_per_min in addition to rpm. Query window: any date-filterable endpoint clamps start_date to now - query_window_days if you request an older date. On free, a request for start_date: "2020-01-01" is silently clamped to 90 days ago.

Scopes per tier

Scope	`free`	`pro`	`ultra`
`search:domain`	✅	✅	✅
`search:login`	✅	✅	✅
`search:ip`	✅	✅	✅
`search:stealer`	✅	✅	✅
`search:password`	–	✅	✅
`search:file`	–	✅	✅
`search:keyword`	–	✅	✅
`search:advanced`	–	✅	✅
`view:cookies`	–	✅	✅
`view:autofill`	–	✅	✅
`view:cards`	–	✅	✅
`view:wallets`	–	✅	✅
`view:ftp`	–	✅	✅
`view:history`	–	✅	✅
`view:commands`	–	✅	✅
`view:keychain`	–	–	✅
`infection-analysis`	–	–	✅

Calling an endpoint you don’t have the scope for returns 403 FORBIDDEN_SCOPE — see Authentication.

Rate-limit response headers

Every response (success or error) from a rate-limited endpoint includes:

Header	Meaning
`X-RateLimit-RPM-Limit`	Your effective requests-per-minute limit
`X-RateLimit-RPM-Remaining`	Requests remaining in the current minute
`X-RateLimit-RPD-Remaining`	Requests remaining today
`X-RateLimit-Reset`	Unix timestamp when the per-minute window resets

429 responses

When a limit is exceeded, the API returns 429 with a Retry-After header (seconds) and one of the following codes:

`code`	Cause
`RATE_LIMIT_EXCEEDED`	You exceeded your tier’s `rpm`, `rpd`, or `agg_per_min`
`INFRASTRUCTURE_LIMIT_EXCEEDED`	An `ultra` key with no per-tier cap hit the platform-wide infrastructure ceiling (650 rpm / 800,000 rpd / 200 agg-per-min / 40 concurrent across all customers)
`QUOTA_EXHAUSTED`	Your daily cost-unit budget (`cost_per_day`) is fully consumed — resets at midnight UTC

429 Response

{
  "error": {
    "code": "RATE_LIMIT_EXCEEDED",
    "message": "Rate limit exceeded for your current plan.",
    "request_id": "req_01HZXK3Q7N8YV6F3M2P9JABCDE"
  }
}

Handling 429s: back off for Retry-After seconds before retrying. For QUOTA_EXHAUSTED, retrying before the daily reset will continue to fail — either wait for the reset or upgrade your tier.

Cost units

Every request consumes “cost units” against your cost_per_day budget. Aggregation endpoints and larger result sets cost more than a single small lookup. Your current daily usage is visible via GET /v1/account.

Upgrading

Tier changes apply immediately to your existing API key — no need to regenerate it. Manage your plan from the dashboard.

​Tiers

​Scopes per tier

​Rate-limit response headers

​429 responses

​Cost units

​Upgrading