VirusTotal · Rate Limits

Virustotal Rate Limits

VirusTotal enforces rate limits per API key. The Public (free) API publishes hard numbers — 4 requests per minute and 500 requests per day. Premium and GTI Enterprise keys are governed by the customer's SLA rather than a public cap, and individual Premium surfaces (Livehunt, Retrohunt, Feeds, Private Scanning) carry their own per-feature quotas which are visible via the `/users/{id}/overall_quotas` and `/users/{id}/api_usage` endpoints. Limits apply per API key — the key carries all of the user's privileges and quota pool.

Virustotal Rate Limits is the machine-readable rate-limit profile for VirusTotal on the APIs.io network, conforming to the API Commons Rate Limits specification.

It captures 10 rate-limit definitions, measuring requests_per_minute, requests_per_day, requests_per_month, notifications_per_day, and concurrent_jobs.

The profile also includes 8 backoff/retry policies defined and response codes documented for throttled, quotaExceeded, unauthorized, and forbidden.

Tagged areas include Rate Limiting, Threat Intelligence, and Anti-Malware.

10 Limits Throttle: 429 Quota: 429
Rate LimitingThreat IntelligenceAnti-Malware

Limits

Public API — request rate key
requests_per_minute · minute
4
Hard rate cap enforced per API key. Exceeding returns 429.
Public API — daily allowance key
requests_per_day · day
500
Daily quota resets at 00:00 UTC. Exceeding returns 429 until reset.
Public API — monthly allowance key
requests_per_month · month
15500
Approximate roll-up of the daily cap (500 × 31). Resets on the 1st of the month UTC.
Premium API — request rate key
requests_per_minute
per SLA
No public per-minute cap; defined in the customer's Premium contract.
Premium API — daily / monthly allowance key
requests_per_day
per SLA
Daily / monthly quota set per Premium contract. Visible via /users/{id}/overall_quotas.
Livehunt — daily notification limit per ruleset ruleset
notifications_per_day
per ruleset config
Configurable via the ruleset's `limit` field. Premium API only.
Retrohunt — concurrent jobs key
concurrent_jobs
per SLA
Bounded by the Premium contract; check /users/{id}/overall_quotas for current allocation.
Feeds — backfill window key
minutes
per SLA
Premium feed batches are available for a rolling window (typically 7 days). Older batches return 404.
File upload size key
bytes_per_request · usage
33554432
Direct POST /files cap at 32 MB. Use /files/upload_url for files up to 650 MB.
Large file upload size key
bytes_per_request · usage
681574400
Files > 32 MB and ≤ 650 MB must use the pre-signed URL flow.

Policies

Header-based throttling signal
On 429 responses, honour the Retry-After header where present. If absent, back off exponentially starting at 60s (matches the per-minute Public cap).
Per-key scoping
Every API key carries its own quota pool and privileges. Sharing keys across services double-counts against the same pool; provision separate keys per integration to avoid contention.
Quota visibility
Inspect current usage via GET /users/{id}/api_usage and current allowances via GET /users/{id}/overall_quotas. For group-managed accounts, use the /groups/{id} equivalents.
No multi-account workaround
VirusTotal explicitly prohibits creating multiple accounts to multiply the Public API quota. Use Premium for higher throughput.
Commercial use restriction (Public API)
The Public API cannot be used in commercial products or business workflows that don't contribute new files to the community. Commercial deployments must use Premium.
Idempotency by content hash
File reports are content-addressed by SHA-256. Re-submitting the same bytes yields the same id and consumes minimal quota — fetch by hash first, then submit only if absent.
Burst-aware client design
The Public API's 4 req/min cap means a naïve threaded client will be throttled within seconds. Insert a 15-second floor between requests, or use a token-bucket limiter sized at 4/min.
Sandbox-feature quotas separate
Livehunt notifications, Retrohunt scans, Private Scanning submissions, and Feed downloads each have their own per-feature quotas that are orthogonal to the per-minute / per-day request cap.

Sources