Rate limits

The demo proxies all RPC calls to Helius. Limits are enforced upstream and the demo forwards relevant response headers.

Maintained by Helius · Last updated · View source

Demo proxy (this site)

The demo's /api/rpc endpoint applies its own lightweight rate limiting to prevent abuse of the shared API key. Concretely:

  • Burst: 60 requests per minute per IP across all RPC methods
  • Long term: 1,000 requests per hour per IP
  • Method allowlist: only the methods listed in src/app/api/rpc/route.ts are accepted; everything else returns 403 with a JSON error

These limits exist because the demo uses a single shared Helius API key. For production traffic, clone the boilerplate, generate your own key, and remove the demo-side limiter.

Response headers

The demo forwards Helius rate-limit headers from upstream responses when present:

  • x-ratelimit-limit— your tier's allowed RPS
  • x-ratelimit-remaining — requests remaining in the current window
  • x-ratelimit-reset — Unix timestamp when the window resets
  • retry-after — seconds to wait before retrying (set on 429 responses)

Upstream Helius RPC limits

The demo's key is on the free tier. Production tiers from helius.dev/pricing:

TierRPSCredits / month
Free101,000,000
Developer ($49)5010,000,000
Business ($499)200200,000,000
Professional ($999)500500,000,000
EnterpriseCustomCustom

Numbers above may lag the live pricing page. Treat helius.dev/pricing as canonical.

Recommended retry strategy

When the demo returns 429 or 503, retry with exponential backoff:

  • Initial delay: 1 second
  • Multiplier: 2x per retry
  • Max delay: 30 seconds
  • Jitter: ±25%
  • Max retries: 5

Honor the retry-after header when present; it overrides the calculated delay.

Error response shape

All errors from /api/rpc are JSON-RPC 2.0 shaped:

{
  "jsonrpc": "2.0",
  "id": "1",
  "error": {
    "code": -32005,
    "message": "Method getStakeActivation is not allowed.",
    "data": { "allowedMethods": ["getBalance", "getAsset", "..."] }
  }
}

Standard JSON-RPC codes plus Helius-specific extensions:

  • -32600 — invalid JSON-RPC request
  • -32601 — method not found
  • -32602 — invalid params
  • -32005 — method not allowed by this proxy
  • 429 (HTTP status) — rate limit exceeded; see retry-after

Status and incident reporting

Live status: helius.statuspage.io. For incidents that affect the demo specifically (not Helius RPC), file an issue at github.com/helius-labs/frontend-boilerplate/issues.