Intermittently Receiving Spike Arrest Violation

Good evening,

I am working with a Keap client’s production environment and have recently run into an API response that I’m not overly familiar with and was wondering if anyone could please help shed some light and break down exactly what it means?

We’ve received the following error across 10 orders submitted via the v1 REST API using the client’s Legacy API key over a few days in the last week. It’s worth noting that I also received this error once while working within the sandbox environment as well over the last week.

  "fault": {
    "faultstring": "Spike arrest violation. Allowed rate : MessageRate{messagesPerPeriod=25, periodInMicroseconds=6000000, maxBurstMessageCount=1.0}",
    "detail": {
      "errorcode": "policies.ratelimit.SpikeArrestViolation"

Note: The period in microseconds has ranged from 5-7 seconds.

The dates and times that this occurred are as follows (all times are in CDT)

7/8/22 4:38:14 PM
7/9/22 2:14:27 PM
7/11/22 8:10:54 AM
7/11/22 10:13:41 AM
7/11/22 1:20:53 PM
7/11/22 2:51:15 PM
7/11/22 3:07:11 PM
7/12/22 11:34:58 AM
7/12/22 2:49:07 PM
7/12/22 10:34:13 PM

The only reference to the error that I’ve seen is within some Google Apigee documentation, which I believe Keap is using Apigee as their API proxy provider if I’m remembering correctly.
From that documentation it indicates that this error is caused by exceeding a request threshold. While I do not believe that it’s likely that we’re hitting the API threshold, I have added some additional logging within our app to help verify that when/if the error occurs again. Though it is odd that I also received the error in the sandbox environment within the same week or so and I’m fairly certain I was not making that many requests assuming the info below on thresholds that I’ve seen is still accurate.

Can anyone please verify or provide clarity on the following -

Based on what I said above, is my understanding of that error correct?

Are these thresholds still current?
Quotas and Throttles:
5 Queries per Second
120 Queries per Minute
15000 Queries per Day

If correct, are the above thresholds per origin server making the request, or tied specifically to the use of the Legacy API key? If say, two different servers were making API requests using the client’s Legacy API key at the same time.

Could this have been caused by brief service disruption issues / has anyone else been running into this error recently?

Is there a good place to check service disruptions and a history of them? I was looking at the site but it does not appear to be secure, and the history page was last updated in May 2021, so I’m not certain if it’s still relevant.

Any help is greatly appreciated, and a big thank you in advance to anyone that provides some info!

Best regards,


Good morning Garett!

If you are using a Legacy Key via the REST API then the current limits are:
25 queries per second
120 queries per minute
1500 queries per day

These limits are lower than the related OAuth2 key limits due to the fact that each Legacy Key is associated with only a single tenant instance, whereas the OAuth2 developer accounts are intended to develop applications that will interact with many tenant instances.

Good afternoon Tom,

Thank you for the follow up! Given what you mentioned regarding the Legacy API key, could we be getting some sort of false positive here?
Is the spike arrest violation error message that we’re seeing what we should be getting as a response when we’re being throttled?
Looking through the logs we’ve had instances where we were definitely under the limits you noted, even a case where we only had 3 requests made in two minutes, and still received the spike arrest violation error message.
If another party is also using the client’s Legacy API key but making requests from a different server, are the limits tied specifically to the API key or do they also take into account the source address that is making the request?


The limits are tied to the Legacy API key, which means they are shared among all consumers. If the user generates a Service Account Key instead, the limits are somewhat different, but are individual to each SAK, rather than all tied to the same one, since at that point the traffic is subdivided by consumer as well as tenant.
5 queries per second
120 queries per minute
15000 queries per day

If you are developing integrations as a third party, you really should be using OAuth2 to obtain authorization and make calls, which would have your quotas based on your integration’s account rather than a particular key’s.