# Rates & Limits

The Xyxyx API utilizes a two-tiered rate limiting system. Rate limits are determined by users' token balance. Two options are oferred to grant access to the API:

| Token                         | Rate Limit (calls per 24h) | Requirement                                    |
| ----------------------------- | -------------------------- | ---------------------------------------------- |
| **Xyxyx API Key**             | 25                         | Address holds at least `1` Xyxyx API Key token |
| **Xyxyx Issuer Nodes (XINs)** | TBA                        | Address holds at least `1` XIN                 |

***

#### How rate limits are counted?

<table data-view="cards"><thead><tr><th>Action</th><th>API Call</th><th></th></tr></thead><tbody><tr><td>Deploy Contract</td><td>1</td><td></td></tr><tr><td>Mint Token</td><td>1</td><td></td></tr><tr><td>Transfer Token</td><td>0</td><td></td></tr></tbody></table>

***

#### How rate limits are enforced?

#### 1. Wallet Verification

Each request must include the private key for the wallet you wish to use:

```json
{
  "walletPrivateKey": "YOUR_PRIVATE_KEY_HERE"
}
```

Upon receiving the request:

1. The system checks the wallet balance using the provided `walletPrivateKey`.
2. It verifies which token the wallet holds (Xyxyx API Keys or XINs, or both).
3. The rate limit is applied based on the verified token type in the wallet.

In other words, when making an API request, you will include your `walletPrivateKey` in the request body (JSON format). Our system uses this private key to verify the associated public key and its token balance.

***

#### 2. 24-Hour Rolling Window

All rate limits are enforced on a rolling 24-hour basis. This means that each API call is timestamped, and your remaining quota is calculated based on calls made within the last 24 hours. Once the limit is reached, further requests will be blocked until your usage resets below the threshold.

***

#### 3. Error Handling

If your application exceeds its allocated rate limit, an HTTP **429 (Too Many Requests)** status code is returned. The response may include information about how long you need to wait before making additional calls.

> Please note that Xyxyx API Keys can be freely traded on the secondary market and are instantly activated by the new address. However, if the API key was used in the previous window and the new address is still within that same window when incorporating it, the node will keep the previous address' discounts.

***

#### 4. XINs: **24-Hour Waiting Period**

XINs incorporated by an address must wait a 24-hour period to be allowed to interact with the Xyxyx API.

***

#### Security Considerations

* **Do not expose your private key**: Always ensure you transmit your private key securely. Ideally, you should sign the request and send the signature rather than the raw key.
* **Single point of authentication**: Using a single private key for all requests simplifies your usage but also centralizes risk. Follow best practices to protect this key.
* **Separate wallets**: You can maintain multiple wallets for different environments (development, testing, and production). Each wallet’s token balance is evaluated independently.

***

{% hint style="info" %}
If you have any questions regarding authentication, wallet usage, or encounter issues with rate limits, send us a message at <info@xyxyx.pro>.
{% endhint %}