Relay enforces rate limits to ensure platform reliability and fair usage across integrators. Default limits apply to all requests. Higher limits are available via API keys.
Default Rate Limits (No API key)
The following limits apply when no API key is provided:
| Endpoint | Limit |
|---|
/quote | 50 requests per minute |
/requests | 200 requests per minute |
/transactions/status | 200 requests per minute |
| Other endpoints | 200 requests per minute |
API key Rate Limits
When using an API key, limits increase and are applied per key:
| Endpoint | Limit |
|---|
/quote | 10 requests per second |
/requests | 10 requests per second |
/transactions/status | 10 requests per second |
| Other endpoints | 200 requests per minute |
API keys are recommended for server-side production integrations and higher-throughput use cases.
How to Get an API key
Create an API key in the Relay Dashboard.
How to Use an API key
HTTP Requests
Pass the API key in the request headers:
This header should be included on all requests where higher rate limits are required.
SDK Usage
Proxy API
If using the sdk on the client, create a proxy api which appends the key in the headers and then pass that endpoint into the baseApiUrl parameter. This prevents your key from being leaked while allowing you to set up the necessary protection in your proxy api.
Keeping Your API key Secure
Your API key is sensitive — treat it like a password. It is tied to your account, controls your rate limits, and all requests made with it are attributed to you.
If your API key is leaked, unauthorized parties could consume your rate limits or make requests on your behalf. Contact us immediately if you suspect your key has been compromised and we will rotate it for you.
Best practices:
- Keep it server-side only — never expose it in client-side or frontend code. Use a proxy API if calling Relay from the browser.
- Use environment variables — store your key in environment variables, not hardcoded in source code.
- Don’t commit it to version control — add it to
.gitignore or use a secrets manager.
- Restrict access — only share the key with team members who need it.