Guides
Rate Limits & Security
Understand the budgets, headers, and best practices for a reliable integration.
API use is subject to our Terms of Use, including permitted data uses (e.g. sales input, internal reports, LLM training) and restrictions (e.g. no scraping, resale, or public raw display).
Rate limits
Built for daily signal tracking, not historical archive research.
All API keys on your account, live and test, share the same budgets. Use GET /api/v1/stats for real-time usage: the response includes a rate_limits object with every limit (per_minute, daily, monthly, monthly_export, daily_company_detail, monthly_pagination). Each entry has limit, used, remaining, and reset_unix.
Good to know
- Two monthly budgets, both billed against the same account: 3,000 requests + 3,000 records. You hit the 429 when you exhaust either one.
- Cost per call: a list call with
limit=25costs 1 request and up to 25 records. A detail call (/companies/{id}) costs 1 request and 1 record. - Only successful responses count: quota is charged only on a
2xxstatus. Errors (404,4xx,5xx) and rejected429requests do not consume budget. - 20 requests/minute burst limit and 300 requests/day cap (anti-abuse).
- Up to 100 unique companies per day via detail endpoints. Repeat views are free.
- 200 page turns per month on list endpoints; max 500 records per query set.
- Reset windows (UTC): per-minute rolls every 60s; daily at midnight UTC; monthly at 00:00 UTC on the 1st of each calendar month.
Real-time usage: GET /api/v1/stats
The rate_limits object lists every limit with current used, remaining, and reset_unix. Keys: per_minute, daily, monthly, monthly_export, daily_company_detail, monthly_pagination.
{
"rate_limits": {
"per_minute": { "limit": 20, "used": 3, "remaining": 17, "reset_unix": 1739876543 },
"daily": { "limit": 300, "used": 45, "remaining": 255, "reset_unix": 1739923200 },
"monthly": { "limit": 3000, "used": 1200, "remaining": 1800, "reset_unix": 1740787200 },
"monthly_export": { "limit": 3000, "used": 800, "remaining": 2200, "reset_unix": 1740787200 },
"daily_company_detail": { "limit": 100, "used": 10, "remaining": 90, "reset_unix": 1739923200 },
"monthly_pagination": { "limit": 200, "used": 50, "remaining": 150, "reset_unix": 1740787200 }
}
}
Rate limit headers
Every API response includes headers listing all critical limits. On 429 responses, additional headers indicate which limit was hit and when it resets.
On every response (200 and 429)
All critical limits are listed so you can surface them in your UI and avoid hitting them:
X-RateLimit-Per-Minute-Limit 20X-RateLimit-Daily-Limit 300X-RateLimit-Monthly-Limit 3,000X-RateLimit-Monthly-Pagination-Limit 200 page turns/monthX-RateLimit-Daily-Company-Detail-Limit 100 unique companies/dayX-RateLimit-Test-Key-Monthly-Limit 300 (test keys only)On 429 only: the limit that was hit
When a limit is exceeded, these headers identify the limit and when it resets:
X-RateLimit-Limit-Type which limit was hit: per_minute, daily, monthly, monthly_export, monthly_pagination, daily_company_detailX-RateLimit-Limit numeric limit for that windowX-RateLimit-Remaining 0 (exceeded)X-RateLimit-Used current usage for that windowX-RateLimit-Reset Unix timestamp when the limit resetsRetry-After seconds until retry (when applicable, e.g. 60 for per-minute)When a limit is exceeded
The API returns HTTP 429 with a JSON body that always includes limit_type, limit, and used:
Only successful requests are billed
Quota is charged only on a 2xx status. Requests that fail (404, other 4xx, 5xx) and requests rejected with 429 never count against your budget. A typo or a not-found lookup costs you nothing.
{
"error": "Daily API request limit reached (300/300 today). Resets at midnight UTC.",
"limit_type": "daily",
"limit": 300,
"used": 300,
"retry_after": 4521,
"detail": "daily_limit_exceeded"
}
limit_type values: per_minute, daily, monthly, monthly_export, monthly_pagination, daily_company_detail. When present, retry_after is seconds until you can retry.
Filter values and data formats
Using the correct format for filter values avoids errors and improves efficiency.
Countries
Use 2-letter ISO country codes:
US: United StatesGB: United KingdomDE: GermanyFR: FranceCA: Canada
Get the full list via /api/v1/filters
Funding amounts
Flexible format with suffixes:
1M= $1,000,000500K= $500,0002.5B= $2,500,000,0001000000= $1,000,000
Suffixes: K (thousands), M (millions), B (billions)
Industries & stages
Use exact values from the filters endpoint:
- Industries: "AI", "Fintech", "Healthcare", "SaaS"
- Stages: "Pre-Seed", "Seed", "Series A", "Series B", "Series C+", "Debt", "undisclosed", "Bootstrapped"
Case-sensitive; use /api/v1/filters for current values
Getting filter values
Always fetch current filter values:
curl -X GET "https://fundup.ai/api/v1/filters" \
-H "Authorization: Bearer YOUR_API_KEY_HERE"
Ensures you're using valid, up-to-date values
Best practices
Caching
- Cache responses when possible
- Use ETags for conditional requests
- Implement local caching for frequently accessed data
- Set appropriate cache headers in your application
Request optimization
- Use pagination to limit response size
- Request only the data you need
- Combine multiple filters in single requests
- Use the search endpoint for complex queries
Error handling
- Always check response status codes
- Implement exponential backoff for 429 errors
- Monitor rate limit headers
- Handle network errors gracefully
Monitoring
- Track your API usage regularly
- Monitor rate limit headers
- Set up alerts for high usage
- Use the /stats endpoint to check usage
Security
API key security
Keep your API keys secure and never expose them in client-side code or public repositories.
Security guidelines
- →Never commit API keys to version control: use environment variables or secure configuration management.
- →Use HTTPS only: all API requests must use HTTPS encryption.
- →Rotate keys regularly: delete old keys and create new ones periodically.
- →Monitor usage: regularly check your API usage for unusual activity.
- →Separate environments: use different keys for production and development.
HTTPS requirement
All API requests must be made over HTTPS. HTTP requests are rejected for security reasons.
Base URL
https://fundup.ai/api/v1
Always use HTTPS so your data is encrypted in transit.
Need help?
Questions about rate limits, security, or your integration? Contact our support team.