Skip to main content
The ClickTerm API applies rate limits to ensure fair usage and platform stability.

Limits

Endpoint typeRate limitBilling
POST /clickwrap/verifySubject to your plan’s event quotaCounted toward billing
GET endpoints (events, certificates, status, templates)Standard rate limiting appliesFree
SDK requests (ClicktermDialog.show())No rate limit — free and unlimitedFree
Only POST /clickwrap/verify calls count toward your billing. All other requests are free. See clickterm.com/pricing for pricing details.

Rate limit responses

If you exceed the rate limit, the API returns: 
HTTP 429 Too Many Requests

Response headers

When rate-limited, the API includes standard headers to help your integration respond appropriately:
HeaderDescription
Retry-AfterNumber of seconds to wait before retrying the request
Always read the Retry-After header and wait the specified duration before retrying. Implementing exponential backoff is recommended for production integrations.

Handling rate limits in code

async function verifyWithRetry(signature, maxRetries = 3) {
  for (let attempt = 0; attempt < maxRetries; attempt++) {
    const response = await fetch(
      "https://api.clickterm.com/public-client/v1/clickwrap/verify",
      {
        method: "POST",
        headers: {
          "X-APP-ID": process.env.CLICKTERM_APP_ID,
          "X-APP-KEY": process.env.CLICKTERM_APP_KEY,
          "Content-Type": "application/json",
        },
        body: JSON.stringify({ clicktermSignature: signature }),
      }
    );

    if (response.status === 429) {
      const retryAfter = parseInt(response.headers.get("Retry-After") || "5", 10);
      await new Promise((resolve) => setTimeout(resolve, retryAfter * 1000));
      continue;
    }

    return await response.json();
  }
  throw new Error("Max retries exceeded");
}

Best practices

  • Cache consent status — Call GET /clickwraps/{endUserId}/status once per session rather than before every action
  • Rate limit your own verification calls — Add a Captcha or rate limiter before POST /clickwrap/verify to prevent abuse from end users
  • Don’t poll for events — Use the verification response directly rather than polling event details
  • Batch certificate downloads — If archiving certificates, spread downloads over time rather than fetching all at once
  • Implement retry logic — Use the Retry-After header with exponential backoff for 429 responses