Rate limits.
Every plan has a per-second burst limit and a daily request budget. Both ride on every response in the X-RateLimit-* headers, so you can pace against the live remaining count.
Budgets
Limits are enforced per tier. The Free tier allows 1,000 requests/day at 2/sec; Developer raises that to 10,000/day at 5/sec; Institutional is custom (negotiated per contract). Full per-tier endpoint scopes are on the Authentication page.
Response Headers
Every response includes headers for rate limiting, tracing, and caching.
Handling 429
When you exceed a limit the API returns 429 rate_limited with a Retry-After header giving the number of seconds to wait. Back off for that window before retrying; do not hammer the endpoint.
Daily counters reset at 00:00 UTC, but the authoritative remaining budget is always in X-RateLimit-Daily-Remaining. Frozen responses replayed with ?as_of= still count against your budget.
Caching
Every GET response carries an ETag (a content hash) and a Cache-Control directive. Send the ETag back on your next request as If-None-Match; if nothing changed you get a 304 Not Modified with no body. Historical Axiora data is immutable once filed, so a 304 is the common case for past fiscal years.
curl https://api.axiora.dev/v1/companies/7203/financials \
-H "Authorization: Bearer ax_live_•••" \
-H 'If-None-Match: "a1b2c3d4"'
# → 304 Not Modified (when the resource is unchanged)