-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathtoken-io-rate-limits.yml
More file actions
48 lines (48 loc) · 2.23 KB
/
Copy pathtoken-io-rate-limits.yml
File metadata and controls
48 lines (48 loc) · 2.23 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
specification: API Commons Rate Limits
specificationVersion: '0.1'
schema: https://raw.githubusercontent.com/api-evangelist/interface-research/main/schema/api-commons.yml#/$defs/RateLimits
provider: Token.io
providerId: token-io
created: '2026-05-25'
modified: '2026-05-25'
reconciled: false
tags:
- Open Banking
- Rate Limiting
- PSD2
description: 'Rate limit posture for the Token.io Open Banking API. Token.io itself does not publish a single
global RPS / RPM number for the TPP API; effective limits are governed by (a) PSD2 / Open Banking Standard
defaults applied per-consent at each connected bank, and (b) any TPP-level limits Token.io applies to its own
API surface. Token.io recommends rate limiting on a per-consent basis to prevent overuse of bank-side AIS
endpoints. Consult contract terms for production tenant-level limits.'
sources:
- https://support.token.io/hc/en-us/articles/22853099035673-Should-we-add-rate-limiting-to-our-Open-Banking-API
- https://docs.token.io/products/tpp/integration-considerations/api-basics
- https://standards.openbanking.org.uk
headers:
retryAfter: retry-after
responseCodes:
throttled: 429
quotaExceeded: 429
algorithm: per-consent
limits:
- scope: per-AIS-consent (Open Banking UK default)
tier: Default
rule: 4 requests per minute when accessed without PSU present, unlimited PSU-present
notes: 'UK Open Banking Standard default for AIS endpoints — accounts, balance, transactions, standing
orders. Bank-enforced upstream of Token.io.'
- scope: per-TPP global
tier: Production
rule: contract-defined
notes: Token.io applies tenant-level throttling per commercial agreement. Exact RPS / RPM negotiated with
sales.
- scope: per-bank
tier: All
rule: bank-defined
notes: Each upstream bank enforces its own PSD2 / Open Banking rate limits. Token.io surfaces 429s and bank
status via the Reports API at /reports/banks/status.
recommendations:
- Apply per-consent rate limiting on AIS workflows to stay within bank-side caps.
- Use the Webhooks API to receive event-driven updates rather than polling.
- Use the Reports API (/reports/banks/status and /reports/banks/{bankId}/status) to monitor degraded bank
connectivity before retrying.