Understanding Vista Social API Rate Limits
Vista Social applies rate limits to keep the platform fast and fair for every workspace. This article explains what the limits are, how to tell when you're getting close to one, and what to do if you hit one.
If you only have a minute, here's the short version:
- Default limit: 60 requests per minute, per integration. The MCP integration (ChatGPT / Claude / Cursor / etc.) has a higher cap of 180 requests per minute.
- Each integration has its own budget. Using Zapier doesn't slow down your direct API calls (or vice versa).
-
We tell you exactly where you stand on every response, in three
headers:
X-RateLimit-Limit,X-RateLimit-Remaining,X-RateLimit-Reset. -
If you go over, you get an
HTTP 429response with aRetry-Afterheader telling you how many seconds to wait.
That's 90% of what most people need. The rest of this article fills in the details.
Where rate limits apply
| Integration | Limit | Per |
|---|---|---|
Direct REST API (vistasocial.com/api/*) |
60 requests / minute | workspace |
| Zapier integration | 60 requests / minute | workspace |
| Make integration | 60 requests / minute | workspace |
| n8n integration | 60 requests / minute | workspace |
| MCP integration (ChatGPT / Claude / etc.) | 180 requests / minute | workspace |
| OAuth-authorised apps | 60 requests / minute | workspace |
Each row is a separate budget. A workspace that uses Zapier and calls the REST API directly and connects an MCP-aware AI assistant has three independent budgets, not one shared budget. Pick the right integration for each job and you rarely run out.
Enterprise plans can raise the per-minute integration limit. If your business needs a higher cap, contact your Vista Social account manager — we can lift it on a per-workspace basis.
Reading the rate-limit headers
Every response from /api/integration/* (including successful ones)
includes three headers that describe your current bucket:
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 42
X-RateLimit-Reset: 1716480123
| Header | What it tells you |
|---|---|
X-RateLimit-Limit |
Your cap, in requests per minute. |
X-RateLimit-Remaining |
Requests left in the current bucket before you hit the cap. |
X-RateLimit-Reset |
Unix timestamp (UTC, seconds) when the bucket refills. |
If you build automation against the Vista Social API, the cheapest way
to stay healthy is to read X-RateLimit-Remaining and pause when
it gets low — say, when it drops below 5 — until X-RateLimit-Reset
passes.
The values above are the defaults — actual values depend on your subscription. Always trust the headers, not the docs.
When you go over the limit
You'll get back an HTTP 429 Too Many Requests response.
Response headers:
HTTP/1.1 429 Too Many Requests
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 0
X-RateLimit-Reset: 1716480123
Retry-After: 24
Content-Type: application/json
Response body:
{
"error": "You are going too fast, please slow down. 60 requests are allowed every minute per integration.",
"errorValues": { "value1": 60 }
}
What to do:
-
Read
Retry-After. That number — in this example,24— is the wait, in seconds, until your bucket has refilled enough to accept the next request. -
Wait at least that long before retrying. Standard HTTP clients
(axios, Python
requests, Postman, etc.) honorRetry-Afterautomatically when configured to retry on 429. -
Do not retry tighter than
Retry-Aftersays. Doing so will only produce more 429s and trigger the repeated-violation alerts described below.
Repeated violations
Going over the limit once or twice is normal — for example, when a script starts up and warms its cache. But if your integration keeps exceeding the cap, we take action:
| Violations in 1 hour | What happens |
|---|---|
| 4 | Workspace owner gets an email + in-app alert naming the offending integration. |
| 11 | The API key is automatically deactivated. You'll be emailed when this happens. |
If your key gets deactivated, fix the underlying issue (usually a runaway loop in your script) and contact support to reactivate it. The counter resets one hour after your last violation.
Integration-specific notes
Direct REST API
The default 60-req/min bucket. Endpoints live under
https://vistasocial.com/api/* — see the full reference at
apidocs.vistasocial.com.
Authenticate with your API key in the x-api-key header. No integration
claim needed.
Zapier / Make / n8n
Each platform runs in its own bucket. Set the api_client header on
your custom requests so we can tell which integration the call is
coming from — api_client: zapier, api_client: make, or
api_client: n8n. (For n8n you can alternatively send
User-Agent: n8n, which we also recognise.) Without one of these
hints, the request falls into the direct-REST bucket instead and
shares budget with your own API calls.
(If you're using our pre-built Zapier / Make / n8n apps, this is done for you automatically.)
MCP (ChatGPT, Claude, Cursor, etc.)
MCP integrations have two limits stacked together:
-
Per-minute limit (this article) — 180 requests/minute on the
mcpchannel. This is higher than the 60/min default the other integrations get, because AI assistants tend to fire requests in bursts and don't always pace themselves to the standard limit. -
Per-tool burst cap (inside MCP) — each tool also has its own
short-term burst limit. Expensive tools like
generateImageandgenerateVideoare capped lower (e.g. 10 burst / 5 per minute forgenerateImage); cheap tools use a generous default. When a tool exceeds its own cap, the AI assistant sees a structured "rate limited" error inside the response and is instructed to wait before retrying.
You don't need to configure anything for either — they both apply automatically. The per-tool cap mostly comes into play with assistants that try to generate large batches of media in a single conversation; normal mixed tool use rarely touches it.
OAuth apps
OAuth-authenticated traffic uses bearer tokens instead of API keys, but the same 60-req/min budget applies, scoped to the workspace that granted authorization.
Common questions
"I'm well under 60 requests per minute, why am I getting 429s?"
A few things to check:
- Other integrations sharing the same API key? If multiple scripts share one key, they share the bucket. Use a separate API key per integration where possible.
-
Are you setting
api_client? A Zapier zap and a custom script that both use the same API key but noapi_clientheader land in the samedirectbucket. Set the header on the Zapier side to split them. - Bursting at the top of the minute? The window resets at the start of each "first request" cycle, not at clock minute boundaries. Spread requests evenly within the minute rather than firing them in the first second.
"Can you raise my rate limit?"
For workspaces on a paid Vista Social plan, yes — contact your account manager or open a ticket and we'll review. Free-tier workspaces can't have the limit raised but can subscribe at any time.
"Do bulk operations count as one request or many?"
One HTTP request = one count, regardless of how much data is in the
payload. A POST /publishing/posts that schedules across 10 profiles
counts as 1 request, not 10.
"Do GET requests count against the same bucket as POST / PUT?"
Yes — the limit is per request, not per operation type. Reading and writing share the same 60-req/min budget on each integration.
"Where do I see my current rate-limit usage?"
In the response headers of every API call. We don't expose a dashboard for this today — the headers are the source of truth.
"What if my API client doesn't support Retry-After automatically?"
Just read Retry-After from the 429 response and call sleep(N) (or
equivalent) before retrying. Every HTTP client lets you do this; it
just isn't automatic everywhere.
Still stuck?
Contact Vista Social support with:
- Your workspace name or root entity ID
- The integration that's being throttled (
zapier,mcp, etc.) - A sample 429 response body (so we can verify which bucket is involved)
- The timestamp of the most recent 429
We'll trace it from there.