Mindbody · Rate Limits

Mindbody Rate Limits

Mindbody enforces a per-API-key daily call quota across both sandbox and live modes of the Public API v6: 1,000 calls per API key per day. Live-mode usage beyond the quota is billed at roughly $0.003 per call rather than throttled, while sandbox usage is hard-capped at 1,000/day. There is no documented per-second or per-minute burst limit, so partners are responsible for pacing their own bursts. The Webhooks API enforces delivery-side controls instead of request-rate caps: webhook URLs must respond with a 2xx within 10 seconds, Mindbody retries every 15 minutes for up to 3 hours, and subscriptions are auto-deactivated after sustained delivery failures.

Mindbody Rate Limits is the machine-readable rate-limit profile for Mindbody on the APIs.io network, conforming to the API Commons Rate Limits specification.

It captures 6 rate-limit definitions, measuring requests_per_day, varies, concurrent_subscriptions, seconds, and retries.

The profile also includes 8 backoff/retry policies defined and response codes documented for unauthorized, forbidden, notFound, badRequest, throttled, and serverError.

Tagged areas include Rate Limiting, Fitness, Wellness, Booking, and Webhooks.

6 Limits Throttle: 429
Rate LimitingFitnessWellnessBookingWebhooks

Limits

Public API v6 daily quota (live mode) key
requests_per_day · day
1000
First 1,000 calls per API key per day are free; overage calls are billed at ~$0.003 each rather than hard-throttled.
Public API v6 daily quota (sandbox) key
requests_per_day · day
1000
Sandbox/test environment is hard-capped at 1,000 calls per API key per day; no overage available.
Public API v6 burst pacing key
varies
no published per-second/per-minute cap; pace bursts client-side
Mindbody does not publish a per-second or per-minute burst ceiling; expect throttling responses on aggressive bursts and use exponential backoff.
Webhooks subscription cap account
concurrent_subscriptions
see Webhooks Developer Portal
Subscriptions are scoped to the account; the portal exposes the active subscription list.
Webhook delivery response time subscription
seconds · second
10
Subscriber URL must return a 2xx HTTP status within 10 seconds, otherwise the delivery is treated as failed.
Webhook delivery retry window subscription
retries
every 15 minutes for up to 3 hours
After 12 retry attempts (3 hours), Mindbody stops retrying the message.

Policies

Daily quota with overage billing (Public API)
Live-mode Public API usage is metered against a 1,000-call-per-day-per-key ceiling. Calls above the ceiling are not blocked — they incur an overage charge of approximately $0.003 per call on the partner invoice.
Hard cap (sandbox)
Sandbox traffic is hard-throttled at 1,000 calls per API key per day with no overage. Plan integration testing accordingly.
Exponential backoff
On any 4xx/5xx burst response, partners are expected to back off using an exponential delay (e.g. 1s, 2s, 4s, 8s) before retrying. Mindbody does not currently surface Retry-After headers, so back-off is partner-managed.
Idempotent webhook processing
Mindbody does not guarantee single-delivery or in-order delivery of webhook events. Subscribers MUST de-duplicate by messageId and reconcile with the Public API every 24 hours to catch drift.
HMAC signature verification
Every webhook payload carries an X-Mindbody-Signature header of the form `sha256={base64(HMAC-SHA256(messageSignatureKey, body))}`. Subscribers MUST verify the signature before processing.
TLS 1.2 minimum
Mindbody requires TLS v1.2 or higher for all Public API and webhook delivery callbacks. Older TLS versions are rejected.
Server-to-server only
Mindbody mandates that all Public API calls originate from a back-end server. Direct browser/client-side use of the API key is prohibited.
Webhook auto-deactivation
Subscriptions that accumulate too many failed delivery attempts move to DeactivatedTooManyFailedMessageDeliveryAttempts and a notification email is sent. Subscribers must reactivate the subscription via PATCH after fixing their endpoint.

Sources