Hcp Rate Limits

Name: Hcp Rate Limits
Creator: HashiCorp Cloud Platform
Keywords: Cloud, Infrastructure, DevOps, Secrets Management, Service Networking, Rate Limiting, Quotas, Throttling

HCP enforces API rate limits per authenticated user (or per IP for unauthenticated requests). The headline limit for HCP Terraform is ~30 requests/second across most endpoints. Sensitive endpoints have stricter ceilings — SMS/2FA at 5 requests/minute, email-sending at 10–100 requests/minute (per endpoint), and certain account operations at 40 requests/hour. Limits are scoped per user, so multiple tokens issued to the same user share the budget. Other HCP products (Vault, Consul, Boundary, Packer, Waypoint) inherit the HCP platform throttling layer.

Hcp Rate Limits is the machine-readable rate-limit profile for HashiCorp Cloud Platform on the APIs.io network, conforming to the API Commons Rate Limits specification.

It captures 4 rate-limit definitions, across the all tier, measuring requests_per_second, requests_per_minute, and requests_per_hour.

The profile also includes 4 backoff/retry policies defined and response codes documented for throttled, quotaExceeded, and serviceUnavailable.

Tagged areas include Cloud, Infrastructure, DevOps, Secrets Management, and Service Networking.

4 Limits Throttle: 429 Quota: 429

CloudInfrastructureDevOpsSecrets ManagementService NetworkingRate LimitingQuotasThrottling

Limits

HCP Terraform — Default API rate user-or-ip

requests_per_second · second

Documented for HCP Terraform; other HCP products share the platform throttling layer.

SMS / 2FA endpoints user

requests_per_minute · minute

Email-sending endpoints user

requests_per_minute · minute

10–100

Specific endpoints fall in the 10–100/min band; verify per-endpoint.

Account operations user

requests_per_hour · hour

Policies

Per-User Scoping

Rate limits are scoped per authenticated user, not per token — multiple tokens issued to the same user share the limit budget.

Backoff Strategy

On HTTP 429 with the JSON-API error 'You have exceeded the API's rate limit', back off and retry with jitter; honor Retry-After when present.

Sensitive Endpoint Throttling

SMS/2FA, email, and account-mutation endpoints have tighter ceilings than the default 30 rps; design clients accordingly.

Unauthenticated Requests

Unauthenticated requests are bucketed by source IP rather than user.

Sources

https://developer.hashicorp.com/terraform/cloud-docs/api-docs