feat(ipa0114): add rate limiting guidelines to errors IPA

matt-condon · matt-condon · commit 7b2b238d6528 · 2025-12-18T12:06:19.000Z
diff --git a/ipa/general/0114.md b/ipa/general/0114.md
@@ -59,6 +59,25 @@ are treated as `404 Not Found` rather than `400 Bad Request`.
 
 :::
 
+### Rate Limiting
+
+- APIs **must** document the `429 Too Many Requests` status code for endpoints
+  that implement rate limiting.
+- APIs **must** return `429 Too Many Requests` when a client exceeds the allowed
+  request rate.
+- APIs **must** include the `Retry-After` HTTP response header when returning
+  `429 Too Many Requests` to indicate when the client can retry the request.
+  - The `Retry-After` header value **must** be expressed as time in seconds
+    until the next token is available.
+- APIs **should** include rate limit information in response headers to help
+  clients manage their request rates proactively:
+  - `RateLimit-Limit`: The maximum number of requests allowed in the current
+    rate limit window (bucket capacity)
+  - `RateLimit-Remaining`: The number of requests remaining in the current rate
+    limit window (remaining tokens)
+
+:::
+
 ### API Error Format
 
 ```json
