Problem
When the quote endpoint returns 429 Too Many Requests,
the response does not include a Retry-After header.
Clients have no way to know how long to wait before
retrying.
Impact
Medium — affects SDK clients and automated integrations
such as trading bots that need to know when to retry
after hitting the rate limit. Without Retry-After,
clients either retry immediately making the problem
worse, or stop retrying entirely.
To reproduce
- POST https://api.cow.fi/sepolia/api/v1/quote
- Header: Content-Type: application/json
- Body:
{
"sellToken": "0xfFf9976782d46CC05630D1f6eBAb18b2324d6B14",
"buyToken": "0x0625aFB445C3B6B7B929342a04A22599fd5dBB59",
"sellAmountBeforeFee": "1000000000000000000",
"kind": "sell",
"from": "0x0000000000000000000000000000000000000001"
}
- Send the request repeatedly until 429 is returned
- Check response Headers tab — Retry-After is absent
Expected behaviour
Status: 429
Response Headers should include:
Retry-After:
Actual behaviour
Status: 429
Response Headers received:
:status: 429
server: CloudFront
date: Tue, 26 May 2026 17:15:46 GMT
content-length: 116
content-type: application/json
x-cache: Error from cloudfront
No Retry-After header present.
Postman test failure confirms the header is missing:
"If rate limited response has Retry-After header |
AssertionError: expected undefined to exist"
Screenshots/logs
See attached screenshots showing:
- Rate limiting triggers at approximately iteration 1491
- Failing test confirming Retry-After header is absent
- Response Headers for 429 response — no Retry-After
services version/commit hash and environment
Version: v2.362.3-dirty
Environment: production (https://api.cow.fi/sepolia)
Additional context
The 429 response is served by AWS CloudFront
(confirmed via server: CloudFront response header)
rather than the application layer. The Retry-After
header needs to be configured at the CloudFront
distribution level.
Reference: https://www.rfc-editor.org/rfc/rfc6585#section-4
Problem
When the quote endpoint returns 429 Too Many Requests,
the response does not include a Retry-After header.
Clients have no way to know how long to wait before
retrying.
Impact
Medium — affects SDK clients and automated integrations
such as trading bots that need to know when to retry
after hitting the rate limit. Without Retry-After,
clients either retry immediately making the problem
worse, or stop retrying entirely.
To reproduce
{
"sellToken": "0xfFf9976782d46CC05630D1f6eBAb18b2324d6B14",
"buyToken": "0x0625aFB445C3B6B7B929342a04A22599fd5dBB59",
"sellAmountBeforeFee": "1000000000000000000",
"kind": "sell",
"from": "0x0000000000000000000000000000000000000001"
}
Expected behaviour
Status: 429
Response Headers should include:
Retry-After:
Actual behaviour
Status: 429
Response Headers received:
:status: 429
server: CloudFront
date: Tue, 26 May 2026 17:15:46 GMT
content-length: 116
content-type: application/json
x-cache: Error from cloudfront
No Retry-After header present.
Postman test failure confirms the header is missing:
"If rate limited response has Retry-After header |
AssertionError: expected undefined to exist"
Screenshots/logs
See attached screenshots showing:
services version/commit hash and environment
Version: v2.362.3-dirty
Environment: production (https://api.cow.fi/sepolia)
Additional context
The 429 response is served by AWS CloudFront
(confirmed via server: CloudFront response header)
rather than the application layer. The Retry-After
header needs to be configured at the CloudFront
distribution level.
Reference: https://www.rfc-editor.org/rfc/rfc6585#section-4