Rate limits for the Cato API are applied on a per-query, per-account basis. This means that for each query there is an individual counter, but it applies to all the API keys (for different users) querying that account. So two different users calling two separate queries do not impact each other. However, if two different users are calling the same query, then these queries are subject to the same counter (for the purposes of rate limiting) and it is possible that the one user's query impacts the other user.
The Cato API back end is highly available and elastic, so the rate limits are a guaranteed minimum rather than an absolute maximum. For example, the auditFeed query has a rate limit of 5 per minute, this means that an account can call auditFeed at least five times every 60 seconds without being rate limited. In reality, it's possible for customers to call this query more frequently, but the guaranteed minimum rate of unlimited calls is 5 per minute. Nevertheless, there is also an account-wide counter, so if you there are five different users all query auditFeed at the same time, to guarantee that they will not be impacted by rate limiting, then each user could only call the query once every 60 seconds.
Cato's Python sample scripts gracefully handle rate limiting by waiting for five seconds before retrying. Customers can adopt similar strategies in their own API scripts.
These are the details for the Cato API rate limits for the following queries:
accountSnapshot: 10/second (120/minute)
entityLookup: 30/minute (1500/5 hours)