Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.gr4vy.com/llms.txt

Use this file to discover all available pages before exploring further.

The system does not apply any rate limits for server-to-server API calls. Instead, the system aims to grow with the business to handle the throughput needs required. That said, certain rate limits are applied on browser/app-to-server API calls in order to prevent enumeration attacks, preventing a malicious party from enumerating credit, debit, or scheme cards to check their validity.

Enumeration prevention

In order to prevent enumeration attacks, the following limits are applied.
Token & EndpointsLimit
A JWT token with the embed scope used with the following endpoints.

POST /gift-cards/balances
POST /gift-cards
POST /transactions		This limits tokens for use with Embed or other frontend integrations from iterating over scheme and gift card numbers. Server-to-server calls are not affected.
A Checkout Session ID used with the following endpoint.

POST /checkout/sessions/:id/fields		This endpoint is used by Secure Fields for storing scheme card details and prevents the over-use of the session ID to store and validate card details.
Rate limitThe current rate limit for these endpoints is set to approximately 50 requests per minute across all endpoints, per token. This value may be adjusted downward in time to adjust for enumeration attacks.Generating a new checkout session ID or JWT token for every checkout is recommended to prevent a user from being rate-limited.