Big Cranium Logo White.png
TrainingHelp Center
Find the insights and best practices about our product.
General
FAQs
System & Network Requirements
Getting Started
My AI Dashboard Overview
Release Notes
2026.4.2 Release Notes
2026.4.1 Release Notes
2026.3.1 Release Notes
2026.2.2 Release Notes
2026.2.1 Release Notes
2026.1.1 Release Notes
2025.12.1 Release Notes
2025.11.1 Release Notes
2025.10.3 Release Notes
2025.10.1 Release Notes
2025.9.1 Release Notes
2025.8.1 Release Notes
2025.7.1 Release Notes
2025.4.1 Release Notes
2025.3.1 Release Notes
2025.1.1 Release Notes
2024.12.1 Release Notes
AI Manager
My AI Systems
My AI Systems Overview
AI System Details Overview
Adding a New AI System
Self-Attesting to a Compliance Framework
Compliance Scoring
Compliance Agent [Beta]
My AI Supply Chain
Supply Chain Overview
Managing Outgoing AI Card Requests
Responding to an AI Card Request
Publishing an AI Card Without a Request
My Vendors Overview
Artifacts
Bill of Materials
Bill of Materials Overview
Creating a Bill of Materials with CodeSensor
Self-Attest to a Bill of Materials
AgentSensor Overview
Technology Search Overview
Document Library
Document Library Overview
Vulnerability Management
Arena Shield
Arena Shield Overview
Shield YAML Implementation Guide
Arena
AI Arena Overview
Vulnerability Assessment
Vulnerability Management
Vulnerability Assessment Overview
Accessing a Vulnerability Assessment
Adversarial Inputs Detector
Vulnerabilities Overview
Settings
User Manager Overview
Detect AI
Integrations
Accessing a Private VCS
Registering SSH for CodeSensor
Integrating Bitbucket with Cranium
Integrating GitHub with Cranium
Integrating GitLab with Cranium
Integrating Azure DevOps with Cranium
Continuous Monitoring Overview
VCS Service Rate Limits
CloudSensor
CloudSensor Overview
Public API
Public API Overview
Authentication & Generating Credentials
Pagination & Incremental Sync
Rate Limits & Error Handling
Endpoint Reference
Bills of Materials
Technology Vulnerabilities
Arena Models
Arena Model Vulnerabilities
Home
Public API
Rate Limits & Error ...
Rate Limits & Error Handling

The Cranium Public REST API enforces per-customer rate limits and returns standardized error responses when requests fail. This article covers the rate limit thresholds, the headers and response bodies returned for rate limit and error conditions, and recommended client behavior.

Rate Limits

The Public API allows up to 60 requests per minute per customer across all users and integrations within an organization. The limit is enforced on a fixed-window basis, meaning all requests count against the same minute-aligned window.

All users, integrations, and credential sets within a single Cranium tenant share the same quota. If your organization runs multiple integrations against the API, plan their request patters together to avoid exhausting the shared quota.

Rate Limit Headers

The API returns rate limit information in response headers.

Use these headers to pace your client. If X-Rate-Limit-Remaining is approaching zero, slow down outbound requests until the next window begins.

429 Too Many Requests

When a request exceeds the rate limit, the API returns a 429 response.

Response status: 429 Too Many Requests


Response headers:

Retry-After: 30


Response body:

json

{
	"statusCode": 429,
	"message": "Rate limit is exceeded. Try again in 30 seconds."
}


The Retry-After value indicates how many seconds your client should wait before retrying. Always honor this value rather than retrying immediately.

Recommended Client Behavior

When you receive a 429 response:


1. Stop sending requests immediately.

2. Wait for the number of seconds specified in the Retry-After header.

3. Retry the request once the wait period has elapsed.


If your client makes many requests in quick succession, consider adding a small delay between requests to keep X-Rate-Limit-Remaining from approaching zero. For high-volume use cases, batch operations into off-peak hours where possible.

Authentication Errors & Quota

Requests that fail authentication with a 401 Unauthorized response do not consume rate limit quota. This means failed authentication attempts do not count against your 60-requests-per-minute budget. However, repeated authentication failures may trigger other security measures. Resolve authentication issues promptly rather than retrying with invalid credentials.

Error Responses

The Public API returns standard HTTP status codes. Error responses include a JSON body describing the error.

Common error response format:

json

{
	"statusCode": 400,
	"message": "Description of the error."
}


Handling 5xx Errors

For 5xx responses, retry the request with exponential backoff. Wait at least on second before the first retry, doubling the delay on each subsequent retry up to a reasonable maximum (for example, 60 seconds). Stop retrying after a small number of attempts and surface the error to your monitoring system.

When reporting persistent issues to Cranium support, include the meta.requestId value from the failing response. This identifier helps engineering correlate logs across the request lifecycle.

Did this answer your question?
Related Articles
Arena Model Vulnerabilities
Arena Models
Technology Vulnerabilities
Bills of Materials
Public API Overview
Authentication & Generating Credentials
Pagination & Incremental Sync