Guides

Rate Limits & Security

Understand the budgets, headers, and best practices for a reliable integration.

API use is subject to our Terms of Use, including permitted data uses (e.g. sales input, internal reports, LLM training) and restrictions (e.g. no scraping, resale, or public raw display).

Rate limits

Built for daily signal tracking, not historical archive research.

All API keys on your account, live and test, share the same budgets. Use GET /api/v1/stats for real-time usage: the response includes a rate_limits object with every limit (per_minute, daily, monthly, monthly_export, daily_company_detail, monthly_pagination). Each entry has limit, used, remaining, and reset_unix.

3,000 requests per month, 1 per API call
3,000 records per month, 1 per row returned

Good to know

  • Two monthly budgets, both billed against the same account: 3,000 requests + 3,000 records. You hit the 429 when you exhaust either one.
  • Cost per call: a list call with limit=25 costs 1 request and up to 25 records. A detail call (/companies/{id}) costs 1 request and 1 record.
  • Only successful responses count: quota is charged only on a 2xx status. Errors (404, 4xx, 5xx) and rejected 429 requests do not consume budget.
  • 20 requests/minute burst limit and 300 requests/day cap (anti-abuse).
  • Up to 100 unique companies per day via detail endpoints. Repeat views are free.
  • 200 page turns per month on list endpoints; max 500 records per query set.
  • Reset windows (UTC): per-minute rolls every 60s; daily at midnight UTC; monthly at 00:00 UTC on the 1st of each calendar month.

Real-time usage: GET /api/v1/stats

The rate_limits object lists every limit with current used, remaining, and reset_unix. Keys: per_minute, daily, monthly, monthly_export, daily_company_detail, monthly_pagination.

{
  "rate_limits": {
    "per_minute": { "limit": 20, "used": 3, "remaining": 17, "reset_unix": 1739876543 },
    "daily": { "limit": 300, "used": 45, "remaining": 255, "reset_unix": 1739923200 },
    "monthly": { "limit": 3000, "used": 1200, "remaining": 1800, "reset_unix": 1740787200 },
    "monthly_export": { "limit": 3000, "used": 800, "remaining": 2200, "reset_unix": 1740787200 },
    "daily_company_detail": { "limit": 100, "used": 10, "remaining": 90, "reset_unix": 1739923200 },
    "monthly_pagination": { "limit": 200, "used": 50, "remaining": 150, "reset_unix": 1740787200 }
  }
}

Rate limit headers

Every API response includes headers listing all critical limits. On 429 responses, additional headers indicate which limit was hit and when it resets.

On every response (200 and 429)

All critical limits are listed so you can surface them in your UI and avoid hitting them:

X-RateLimit-Per-Minute-Limit 20
X-RateLimit-Daily-Limit 300
X-RateLimit-Monthly-Limit 3,000
X-RateLimit-Monthly-Pagination-Limit 200 page turns/month
X-RateLimit-Daily-Company-Detail-Limit 100 unique companies/day
X-RateLimit-Test-Key-Monthly-Limit 300 (test keys only)

On 429 only: the limit that was hit

When a limit is exceeded, these headers identify the limit and when it resets:

X-RateLimit-Limit-Type which limit was hit: per_minute, daily, monthly, monthly_export, monthly_pagination, daily_company_detail
X-RateLimit-Limit numeric limit for that window
X-RateLimit-Remaining 0 (exceeded)
X-RateLimit-Used current usage for that window
X-RateLimit-Reset Unix timestamp when the limit resets
Retry-After seconds until retry (when applicable, e.g. 60 for per-minute)

When a limit is exceeded

The API returns HTTP 429 with a JSON body that always includes limit_type, limit, and used:

Only successful requests are billed

Quota is charged only on a 2xx status. Requests that fail (404, other 4xx, 5xx) and requests rejected with 429 never count against your budget. A typo or a not-found lookup costs you nothing.

429: Daily limit example
{
  "error": "Daily API request limit reached (300/300 today). Resets at midnight UTC.",
  "limit_type": "daily",
  "limit": 300,
  "used": 300,
  "retry_after": 4521,
  "detail": "daily_limit_exceeded"
}

limit_type values: per_minute, daily, monthly, monthly_export, monthly_pagination, daily_company_detail. When present, retry_after is seconds until you can retry.

Filter values and data formats

Using the correct format for filter values avoids errors and improves efficiency.

Countries

Use 2-letter ISO country codes:

  • US: United States
  • GB: United Kingdom
  • DE: Germany
  • FR: France
  • CA: Canada

Get the full list via /api/v1/filters

Funding amounts

Flexible format with suffixes:

  • 1M = $1,000,000
  • 500K = $500,000
  • 2.5B = $2,500,000,000
  • 1000000 = $1,000,000

Suffixes: K (thousands), M (millions), B (billions)

Industries & stages

Use exact values from the filters endpoint:

  • Industries: "AI", "Fintech", "Healthcare", "SaaS"
  • Stages: "Pre-Seed", "Seed", "Series A", "Series B", "Series C+", "Debt", "undisclosed", "Bootstrapped"

Case-sensitive; use /api/v1/filters for current values

Getting filter values

Always fetch current filter values:

curl -X GET "https://fundup.ai/api/v1/filters" \
  -H "Authorization: Bearer YOUR_API_KEY_HERE"

Ensures you're using valid, up-to-date values

Best practices

Caching

  • Cache responses when possible
  • Use ETags for conditional requests
  • Implement local caching for frequently accessed data
  • Set appropriate cache headers in your application

Request optimization

  • Use pagination to limit response size
  • Request only the data you need
  • Combine multiple filters in single requests
  • Use the search endpoint for complex queries

Error handling

  • Always check response status codes
  • Implement exponential backoff for 429 errors
  • Monitor rate limit headers
  • Handle network errors gracefully

Monitoring

  • Track your API usage regularly
  • Monitor rate limit headers
  • Set up alerts for high usage
  • Use the /stats endpoint to check usage

Security

API key security

Keep your API keys secure and never expose them in client-side code or public repositories.

Security guidelines

  • Never commit API keys to version control: use environment variables or secure configuration management.
  • Use HTTPS only: all API requests must use HTTPS encryption.
  • Rotate keys regularly: delete old keys and create new ones periodically.
  • Monitor usage: regularly check your API usage for unusual activity.
  • Separate environments: use different keys for production and development.

HTTPS requirement

All API requests must be made over HTTPS. HTTP requests are rejected for security reasons.

Base URL

https://fundup.ai/api/v1

Always use HTTPS so your data is encrypted in transit.

Need help?

Questions about rate limits, security, or your integration? Contact our support team.