Fortify · Rate Limits

Fortify Rate Limits

Fortify on Demand exposes a REST API at api.emea.fortify.com / api.ams.fortify.com / api.apac.fortify.com with OAuth2 client credentials. OpenText does not publish numeric per-second rate limits in the public docs; throttles are per-tenant and oriented around long-running scan submission and result-retrieval operations. Self-managed Fortify SSC has no platform-imposed API limit.

Fortify Rate Limits is the machine-readable rate-limit profile for Fortify on the APIs.io network, conforming to the API Commons Rate Limits specification.

It captures 2 rate-limit definitions, measuring varies and requests_per_second.

The profile also includes 4 backoff/retry policies defined and response codes documented for throttled and serviceUnavailable.

Tagged areas include Application Security, DAST, SAST, SCA, and Rate Limiting.

2 Limits Throttle: 429
Application SecurityDASTSASTSCARate Limiting

Limits

Fortify on Demand REST API per-tenant throttle tenant/api-key
varies
per-tenant; not publicly published
Fortify SSC self-hosted deployment
requests_per_second
operator-configured; no platform default

Policies

Async Scan Submission
Static, dynamic, and mobile scan submissions return a scan ID immediately and run asynchronously. Poll the scan-status endpoint with backoff rather than re-submitting.
Backoff Strategy
Clients should implement exponential backoff with jitter on 429/5xx and honor Retry-After.
Token Lifetime
OAuth2 access tokens have limited lifetime; refresh ahead of expiry rather than retrying after 401.
Region Routing
Use the region-specific FoD endpoint (EMEA, AMS, APAC) matching the tenant; cross-region calls are not supported.

Sources