Authenticated API endpoints enforce per-user daily quotas. Limits reset at the end of the calendar day (application timezone).
| Endpoint | Daily limit |
|---|---|
| GET /api/currencies | 6 calls / day |
| GET /api/convert/{from}/{amount}/{to} | 24 calls / day |
| GET /api/usage | 4 calls / day |
HTTP 429 with a Retry-After header (seconds until midnight reset):
{
"message": "Daily API limit exceeded."
}
POST /api/login is separately rate-limited to reduce brute-force risk. Exceeding that limit also returns HTTP 429.