The API is rate-limited per API key. Stay under the limit and watch the RateLimit-* headers; over it, you get a 429 with a Retry-After.
1,000 requests per minute, per API key. Each key has its own bucket, so a test key and a live key don't share a limit. A batch send counts as one request per email it meters (so a 100-email batch consumes ~100 tokens), which is why batching is far more efficient than looping over /send. OAuth-connected agents are rate-limited the same way, per client.
The deliverability check additionally has a dedicated, tighter limit of 20 requests per minute, per key — it runs an AI analysis on every call, so the dedicated cap keeps an automated loop from running up cost. Over it you get the same 429 rate_limited (with Retry-After); no analysis runs.
Every response carries your current budget:
A 429 returns rate_limited and sets Retry-After (seconds). The SDK retries automatically with backoff; to handle it yourself, wait Retry-After and retry the idempotent request.