Skip to main content
Relay enforces rate limits to ensure platform reliability and fair usage across integrators. Default limits apply to all requests. Higher limits are available via API keys.

Default Rate Limits (No API key)

The following limits apply when no API key is provided:
EndpointLimit
/quote50 requests per minute
/requests200 requests per minute
/transactions/status200 requests per minute
Other endpoints200 requests per minute

API key Rate Limits

When using an API key, limits increase and are applied per key:
EndpointLimit
/quote10 requests per second
/requests10 requests per second
/transactions/status10 requests per second
Other endpoints200 requests per minute
API keys are recommended for server-side production integrations and higher-throughput use cases.

How to Get an API key

Create an API key in the Relay Dashboard.

How to Use an API key

HTTP Requests

Pass the API key in the request headers:
This header should be included on all requests where higher rate limits are required.

SDK Usage

Proxy API

If using the sdk on the client, create a proxy api which appends the key in the headers and then pass that endpoint into the baseApiUrl parameter. This prevents your key from being leaked while allowing you to set up the necessary protection in your proxy api.

Keeping Your API key Secure

Your API key is sensitive — treat it like a password. It is tied to your account, controls your rate limits, and all requests made with it are attributed to you.
If your API key is leaked, unauthorized parties could consume your rate limits or make requests on your behalf. Contact us immediately if you suspect your key has been compromised and we will rotate it for you.
Best practices:
  • Keep it server-side only — never expose it in client-side or frontend code. Use a proxy API if calling Relay from the browser.
  • Use environment variables — store your key in environment variables, not hardcoded in source code.
  • Don’t commit it to version control — add it to .gitignore or use a secrets manager.
  • Restrict access — only share the key with team members who need it.