API (Web Services) Throttling

To increase the performance and reliability of the system, throttling is implemented.

Throttle limits are for each environment. For example, if an API has a limit of 1,000 requests per hour, that means you can make 1,000 requests each in Pilot, Stage, and Production environments.

If a request is made after the throttle limit is reached, Cornerstone will respond with the following HTTP 429 error:

  • Cornerstone recommends that your applications queue such requests until the throttle limit duration has passed after which the request can be re-sent.

The throttling limits vary per API and are listed in the specific documentation for the API within the Developer Portal.

To access the Developer Portal, go to Admin > Tools > Edge > Develop > Developer Portal. Developer Portal can also be accessed directly at the following URL: https://csod.dev


The throttling limit for REST APIs varies by endpoint. Please check the documentation in the Developer Portal for additional details. For example, the following throttling limits exist:

  • Employee API v1
    • GET (Single User) - 6K/hour
    • GET (Bulk) - 3K/hour
  • Employe/OU API (v2)
    • GET (Single User) - 9K/hour
    • GET (Bulk) - 4.5K/hour
  • Reporting API
    • GET - 24K/hour
  • Cornerstone API (Foundational APIs)
    • The throttling limit across all Foundational APIs is 25,000 requests per hour. Note that certain Foundational APIs, such as the Proxy Enrollment API, have distinct throttling limit which are specified in API Explorer.


All Cornerstone SOAP APIs will be deprecated in Q4 of 2023. This will impact only a subset of API customers. If you are impacted by this upcoming change, you will receive an email from Cornerstone in November 2022 with information detailing the actions you will need to take prior to this deprecation.

To provide better API functionality and experience, Cornerstone has migrated almost all APIs to REST APIs.

The maximum request rate for all SOAP services is 35K requests per hour per organization, meaning that an organization cannot make more than 35K requests within an hour. Other limits include:

If the request count exceeds the request threshold, the SOAP API does not execute any action, and "Throttle rate exceeded" is displayed in the API response. The request count is reset an hour after the initial request.

This only impacts organizations using SOAP APIs.