Mojang · Rate Limits

Mojang Rate Limits

Mojang's public API surface (api.mojang.com, sessionserver.mojang.com, api.minecraftservices.com) is rate-limited primarily per source IP and, on player-scoped endpoints, per account. Limits are enforced as hard throttles returning HTTP 429. The session server tolerates a far higher RPS than the legacy public API because it sits on the login-handshake hot path. A small number of endpoints carry per-account quotas (name-availability checks, server-join calls) that are stricter than the per-IP defaults. There is no public form for raising limits; production load that exceeds them must be sharded across IPs and accounts. New experimental rate limits were rolled out to api.mojang.com lookups in January 2025; consumers should treat all published numbers as approximate.

Mojang Rate Limits is the machine-readable rate-limit profile for Mojang on the APIs.io network, conforming to the API Commons Rate Limits specification.

It captures 6 rate-limit definitions, measuring requests_per_minute, requests_per_second, and varies.

The profile also includes 6 backoff/retry policies defined and response codes documented for throttled, quotaExceeded, authFailure, and invalidArgument.

Tagged areas include Rate Limiting, Identity, Session, and Minecraft.

6 Limits Throttle: 429 Quota: 429
Rate LimitingIdentitySessionMinecraft

Limits

Standard per-IP request budget IP
requests_per_minute · minute
100
Documented as "200 requests per 2 minutes per IP" — equivalent to ~100 req/min. IPv6 callers are bucketed by /56 subnet.
Session server profile and texture lookups IP
requests_per_second · second
40
sessionserver.mojang.com tolerates roughly 400 requests per 10 seconds, the highest sustained budget on the surface, because it sits on the Minecraft login hot path.
Name-availability check account
requests_per_minute · minute
4
Approximately 20 requests per 5 minutes per account; sustained checks above this rate produce HTTP 429.
Server-join handshake account
requests_per_second · second
0.2
Roughly 6 successful join calls per 30 seconds per account on sessionserver.mojang.com/session/minecraft/join.
Bulk profile lookup IP
requests_per_minute · minute
100
The bulk byname endpoints accept at most 10 usernames per call; callers attempting more than 10 in one request receive HTTP 400. Per-IP budget otherwise tracks the standard quota.
Authenticated player attribute writes account
varies
see Minecraft Services API reference for per-endpoint guidance
Skin upload, cape changes, attribute updates, friends mutations and presence reports are accepted at the standard per-account rate but are routinely throttled when called in tight loops.

Policies

Exponential backoff on 429
Honour the Retry-After header where supplied; otherwise back off exponentially starting at 1 second and capping at 60 seconds.
Account-scoped operations
Name change, skin change, friends, and presence operations are throttled per Minecraft account, not just per IP. Sharding across IPs does not help these endpoints.
IPv6 subnet bucketing
IPv6 traffic is bucketed by /56 subnet for the per-IP budget, preventing rotation through individual addresses within a single allocation.
No documented limit increase
Mojang does not publish a process for raising rate limits. Production load above the documented budget must be sharded across multiple source IPs and accounts.
Experimental limits as of January 2025
Mojang noted that "experimental rate limits" are in effect on the legacy api.mojang.com username-to-UUID endpoints. Callers should design for sudden, undocumented tightening.
Blocked-server list caching
/blockedservers is intended to be cached client-side (5 minutes is typical for Minecraft clients) rather than polled.

Sources