Fair usage of the Loco API
Our API is provided for private development purposes, not for embedding in live applications. We don't want to apply annoying rate limits to our services. To avoid us having to do so, please use the API in accordance with our fair usage policy.
- Do use the API to save your translations into files.
- Do use the API to automate your localisation workflow.
- Do use the API to build awesome development tools.
- Don't send public Internet traffic to our endpoints.
- Don't call the API for every page view of a production website.
- Don't distribute API keys in published software.
Live feeds vs static files
During development you are welcome to call the API as much as you need. You may wish to pull live JSON feeds into web pages, or download the latest strings every time you compile your app. This is what the Export API is for.
However, when you deploy your live product, we ask that you export and deploy static files. Please ensure your application isn't hitting our API to display live content to your own users. If public Internet traffic is routed to our servers we will have to take measures which may affect your application. If you're not clear on what the API may be used for, please ask.
Protect your keys
If you need to embed your API key in a deployment script, always use a read-only key. This is less dangerous if it gets intercepted by a third party as it can't be used to perform any data-changing actions.
Distributing a "full access" key is as good as giving out your password. If we see full access keys being used from multiple locations we'll have to assume it's been stolen and may have to revoke it.
If you need to provide colleagues with API access or download links, it's preferable to invite them to your project instead of sharing your keys. Distributing keys around your organization will appear to our servers much the same as if the key was embedded in a live application.
Calls to the Export API are not cached by default. This means your requests will return the latest translations under normal circumstances. However, if you distribute your API keys in a live application we may start sending cached responses. The duration of the cache will reflect the level of unauthorized traffic hitting our servers.
There are currently no daily or hourly limits on API usage, but if you send parallel requests (to get more data faster) you may hit punitive limits. Making too many requests simultaneously will result in status 429 (Too many requests). The exact limits will vary according to the level of abuse we're experiencing. This measure is designed to protect us from things like DDOS attacks, so if you're in any doubt as to what you can get away with, we recommend you queue your requests in a single thread.
We're currently working on Pro features to avoid these limitations, including a "deployment" API that can be embedded in published software and make unlimited live API calls. Until these features are available, the limitations for paid plans are the same as for free accounts.