Capture and share the world's moments.


All rate limits on the Instagram Platform are applied on a sliding 1-hour window.

Global Rate Limits

Global rate limits are applied inclusive of all API calls made by an app over the 1-hour sliding window, regardless of the particular endpoint. The limits are applied independently from each other; authenticated calls are not counted against the rate limit for unauthenticated calls and vice-versa.

Type Rate Limit
Authenticated Calls 5,000 / hour per token
Unauthenticated Calls 5,000 / hour per application

We recommend that you use an Oauth token for the authenticated user for each endpoint, even in cases where it's not required, since the rate limit for authenticated calls scales as you grow the amount of people using your app.

HTTP Header

Information regarding the global rate limits is included in the HTTP header on the response to each of your calls, which enables your app to determine its current status with respect to these rate limits. The following fields are provided in the header of each response and their values are related to the type of call that was made (authenticated or unauthenticated):

X-Ratelimit-Remaining: the remaining number of calls available to your app within the 1-hour window

X-Ratelimit-Limit: the total number of calls allowed within the 1-hour window

Endpoint-Specific Rate Limits

Certain POST endpoints have rate limits that are applied on an endpoint basis. Any calls made to these endpoints by your OAuth Client are also counted towards the global rate limits noted above. The rate limits for these endpoints are dependent on whether your OAuth Client is configured to issue signed requests. Signed requests mean that your app issues POSTs server-side with the X-Insta-Forwarded-For header containing your Client Secret. To enable signed requests, your app must be configured to both disable implicit OAuth and enforce signed requests. headers. Please refer to the Secure API Requests Link: /developer/secure-api-requests/ Restrict API Requests Link: /developer/restrict-api-requests/ documentation for more information on how to sign your API calls.

Endpoint Unsigned Calls (per token) Signed Calls (per token)
POST /media/media-id/likes 30 / hour 100 / hour
POST /media/media-id/comments 15 / hour 60 / hour
POST /users/user-id/relationships 20 / hour 60 / hour

Response Codes

If your app exceeds any of these rate limits, you will receive a response with an HTTP response code of 429 (Too Many Requests). The body of the response will consist of the following fields:

Field Value
code 429
error_type OAuthRateLimitException
error_message The maximum number of requests per hour has been exceeded.

You may also receive responses with an HTTP response code of 400 (Bad Request) if we detect spammy behavior by a person using your app. These errors are unrelated to rate limiting.