Rate limiting is implemented natively via Azure API Management (APIM) which sits upstream of the HIBP API itself. An HTTP 429 response means you've exceeded the rate limit at the APIM level and need to either reduce the rate with which you're issuing requests or upgrade to a higher rate limit plan.
Things to check:
- No other processes are using the same API key
- You're leaving a small additional buffer between requests
- Try rotating the key if you still can't work out the problem, that will invalidate any other locations it's presently being used in
If you'd like to test the rate limit, try the Powershell script below (set the value of "Your_API_Key" and adjust the "delayInSeconds" as required):
$apiKey = "Your_API_Key" # replace this with your actual API key $delayInSeconds = 6 $url = "https://haveibeenpwned.com/api/v3/breachedaccount/test@example.com" $headers = @{ "hibp-api-key" = $apiKey } while ($true) { try { $response = Invoke-WebRequest -Uri $url -Headers $headers Write-Host "Status Code: $($response.StatusCode)" } catch { Write-Host "Error: $($_.Exception.Message)" } Start-Sleep -Seconds $delayInSeconds }