HashiCorp · Rate Limits

Hashicorp Rate Limits

HashiCorp publishes rate limits primarily for HCP Terraform. The platform enforces ~30 requests/second per authenticated user (or per IP for unauthenticated requests) across most endpoints, with stricter ceilings on sensitive endpoints (SMS/2FA at 5/min, email-sending at 10–100/min, certain account operations at 40/hour). Limits are scoped per user — multiple tokens cannot bypass the limit. Other HashiCorp products (Vault, Consul, Nomad, Boundary) enforce limits configured by the operator at deploy time.

Hashicorp Rate Limits is the machine-readable rate-limit profile for HashiCorp on the APIs.io network, conforming to the API Commons Rate Limits specification.

It captures 5 rate-limit definitions, across the all and self-managed tiers, measuring requests_per_second, requests_per_minute, requests_per_hour, and varies.

The profile also includes 4 backoff/retry policies defined and response codes documented for throttled, quotaExceeded, and serviceUnavailable.

Tagged areas include Cloud, DevOps, Infrastructure, Platform, and Rate Limiting.

5 Limits Throttle: 429 Quota: 429
CloudDevOpsInfrastructurePlatformRate LimitingQuotasThrottling

Limits

HCP Terraform — Default API rate user-or-ip
requests_per_second · second
30
Applies to most HCP Terraform API endpoints, authenticated by user or by source IP for unauthenticated requests.
HCP Terraform — SMS / 2FA endpoints user
requests_per_minute · minute
5
HCP Terraform — Email-sending endpoints user
requests_per_minute · minute
10–100
Per-endpoint variation; verify against the specific endpoint reference.
HCP Terraform — Account operations user
requests_per_hour · hour
40
Vault / Consul / Nomad / Boundary — Operator-configured cluster
varies
configured by operator (see product docs)

Policies

Per-User Scoping
HCP Terraform rate limits are bound to the authenticated user — multiple API tokens issued to the same user share the limit.
Backoff Strategy
On 429, clients should back off and retry with jitter. Retry-After is not universally documented; default to exponential backoff.
Sensitive Endpoint Throttling
SMS/2FA, email, and account-mutation endpoints have stricter per-minute / per-hour ceilings than the default 30 rps.
Self-Managed Configurability
For Vault, Consul, Nomad, and Boundary, request quotas and rate limits are configured by the cluster operator (e.g. Vault sys/quotas/rate-limit).

Sources