The Sandbox API imposes the following rate limits:

  • Sandbox instances

    There is a limit of 100 sandbox instances for each Control Center account. The X-Limit-Sandboxes-Remaining value in the response header indicates how many Sandbox instances you have remaining to create.

  • Gateway number of requests

    If the gateway determines that a given connection is receiving too many messages, it will immediately return an HTTP response indicating the error. This response will use HTTP status code 429 and contain a special HTTP header indicating that this error is being generated by the gateway to avoid confusion with a legitimate 429 error being returned by the application being tested. This response will include a JSON payload with additional information about the rate limit error including the suggested timestamp in UTC before attempting another request. The connector will interrogate the rate limit error returned by the gateway and will short circuit subsequent requests until the proper time has elapsed.

LimitDefault valueDescription


The gateway limits the rate of requests allowed per the Websocket connection. It is a configurable amount, initially capped at 5,000 per 10 second window.
connector.tunnel.max_concurrent_streams100The gateway limits the concurrent number of connections
to 100.
  • Web Application Firewall (WAF) Rule for Sandbox Open API

    To protect the core Property Manager functions from e.g., a customer (or a malicious DevPoPs user) sending a high burst of provisioning requests, there is a WAF rule on provisioning API traffic. The current rate limiting for /devpops-api/* is based on the Client IP with the following parameters:

    • Burst: 16 hits/sec during any 5-second period
    • Average: 12 hits/sec during any 2-minute period