National Institute of Standards and Technology (NIST) · Rate Limits

Nist Rate Limits

NIST publishes explicit rate limits for the National Vulnerability Database (NVD) API. Anonymous callers get 5 requests per 30-second rolling window; callers with a free API key get 50 requests per 30-second rolling window. Other NIST APIs (NIST Chemistry WebBook, Internet Time Service) do not document per-key limits but are subject to firewall-level DOS protection. NIST recommends a 6-second sleep between requests to stay within compliance.

Nist Rate Limits is the machine-readable rate-limit profile for National Institute of Standards and Technology (NIST) on the APIs.io network, conforming to the API Commons Rate Limits specification.

It captures 3 rate-limit definitions, measuring requests_per_30_seconds and requests_per_second.

The profile also includes 4 backoff/retry policies defined and response codes documented for throttled and forbidden.

Tagged areas include Rate Limiting, Cybersecurity, Government, and Public Data.

3 Limits Throttle: 403
Rate LimitingCybersecurityGovernmentPublic Data

Limits

NVD API — Anonymous IP
requests_per_30_seconds · second
5
30-second rolling window. Recommended 6-second sleep between requests.
NVD API — API Key api_key
requests_per_30_seconds · second
50
30-second rolling window. 10x increase over anonymous.
Other NIST APIs (Chemistry WebBook, Time Service, etc.) IP
requests_per_second
see firewall fair-use policy
No published per-key RPS; firewall enforces DOS protection.

Policies

6-second sleep recommendation
NIST recommends sleeping ~6 seconds between requests so legitimate requests are not blocked by firewall DOS protection.
Free API key registration
API keys are free and obtained via the NVD developer portal — request, accept Terms of Use, and activate via email link.
Firewall-level enforcement
NIST firewall rules apply at the perimeter; 403 responses indicate firewall throttling rather than application-level 429.
Spread queries
For full NVD ingest, paginate with resultsPerPage=2000 and use lastModStartDate / lastModEndDate windowed sync rather than re-querying the full dataset.

Sources