To ensure fair usage and protect the stability of the MpesaFlow API, requests are subject to rate limits. Rate limits vary depending on the environment you are using production vs development.

How Rate Limits Work

  • Each request you make to the API consumes from a rate limit quota.
  • If you exceed your allocated limit, the API will return a 429 Too Many Requests error.
  • Rate limits are scoped to your environment (production or development).
    • Requests in development do not affect your production quota, and vice versa.

Rate Limit Headers

Every response from the API includes rate limit headers so you can programmatically track your remaining quota:
HeaderDescription
X-RateLimit-LimitThe maximum number of requests that the consumer is permitted to make.
X-RateLimit-RemainingThe number of requests remaining in the current rate limit window.
X-RateLimit-ResetThe time at which the current rate limit window resets in UTC epoch seconds.
When the rate limit is exceeded, an error is returned with the status “429 Too Many Requests”: 
{
  "error": {
    "status": 429,
    "code": "rate_limit_exceeded",
    "message": "You have exceeded your request limit. Please try again later."
  }
}

Environment-Based Limits

We apply different rate limits depending on your environment:
EnvironmentRequests per minuteBurst capacity
Production100 requests/min200 requests
Development20 requests/min50 requests
  • Use development keys to build and test without worrying about exhausting your production quota.
  • Switch to production keys when you go live with your integration.