Mantis Public API¶
This documentation describes how to integrate with Mantis 3.0.
Contents¶
| Section | Description |
|---|---|
| Authentication | x-api-key header and access rules |
| Rate limits | Per-IP quotas, global spike, HTTP 429 and Retry-After |
| API reference | GET routes under /risks and /events |
Rate limits¶
The public API applies two independent limits: one per client IP address and one for global volume on the same instance. Both use a one-second window (server calendar second).
Limits and behaviour (reference table)¶
| Limit | Window | What is measured | Threshold | When it triggers | Block / penalty | HTTP | Body and headers |
|---|---|---|---|---|---|---|---|
| Per IP | 1 second | HTTP requests per client IP | Up to 10 requests per second per IP are allowed | From the 11th request in the same second for that IP | That IP receives no successful handling for 5 seconds (repeated 429 until the block ends) | 429 | JSON with explanatory detail; Retry-After header (seconds to wait) |
| Global (instance) | 1 second | All requests to the API on the same instance/process | Up to 500 requests in the second; the 501st in the same second triggers the limit | Total traffic spike in that second | Every client gets 429 for 60 seconds (global block) | 429 | JSON with detail; Retry-After (typically 60 seconds) |
Important notes¶
Retry-After: seconds to wait before calling again; honouring it avoids unnecessary failures.- Multiple workers / replicas: each process keeps its own counters; with several instances, the effective per-IP cap may be per process, not a single cluster-wide ceiling — the global row applies per API instance.
Your API key¶
Request your API key through the Mantis 3.0 platform.
You can only view the key once when it is generated. It cannot be recovered later.