High-volume API: hosts and routing
Dual-host behavior
Both api.rebrandly.com and enterprise-api.rebrandly.com accept high-volume API requests, routing to the same underlying API services. The difference is rate limits:
| Host | Rate limit | Use for |
|---|---|---|
api.rebrandly.com | 10 req/sec (default) | Lower-volume operations |
enterprise-api.rebrandly.com | 1 req/sec default, up to 40 req/sec depending on your plan | High-volume link creation at scale |
Either host works for retrieving existing links created via the high-volume API. For high-throughput batch creation, use enterprise-api.rebrandly.com.
WAF quirk: script tags in POST bodies
A Web Application Firewall (WAF) sits in front of enterprise-api.rebrandly.com. Sending a POST body containing HTML <script> tags to this host returns a 403 response, regardless of which endpoint you're calling.
The 403 response is HTML, not JSON. Any client parsing the response as JSON will throw a parse error before it sees the status code.
The most common place this surfaces is /v1/scripts (retargeting script creation), since those payloads contain <script> tags by definition.
Workaround
For /v1/scripts (retargeting script creation), use api.rebrandly.com instead of enterprise-api.rebrandly.com:
# ✅ Use api.rebrandly.com for /v1/scripts
curl -X POST https://api.rebrandly.com/v1/scripts \
-H "Content-Type: application/json" \
-H "apikey: YOUR_API_KEY" \
-d '{
"name": "My retargeting script",
"value": "<script>...</script>"
}'
# ❌ This returns 403 HTML (not JSON) on enterprise-api.rebrandly.com
curl -X POST https://enterprise-api.rebrandly.com/v1/scripts \
-H "Content-Type: application/json" \
-H "apikey: YOUR_API_KEY" \
-d '{
"name": "My retargeting script",
"value": "<script>...</script>"
}'Handling the 403 safely
If your client sends to enterprise-api.rebrandly.com and receives a 403, check the Content-Type header before parsing:
const response = await fetch(url, options);
if (!response.ok) {
const contentType = response.headers.get("content-type") || "";
const body = contentType.includes("application/json")
? await response.json()
: await response.text();
throw new Error(`API error ${response.status}: ${
typeof body === "string" ? body.slice(0, 200) : JSON.stringify(body)
}`);
}Related pages
- Creating links at scale for SMS and campaigns—full high-volume API guide
- High-volume API link limitations—silently dropped fields
- Rate limits—full rate limit reference by host and plan