From 5748ce903fe02978be07865f7b9bc4b524e05bb9 Mon Sep 17 00:00:00 2001 From: "Aaron K. Clark" Date: Tue, 19 May 2026 13:04:52 -0500 Subject: [PATCH] docs(readme): mention Retry-After 429 header alongside RateLimit-* #322 exposed `Retry-After` on cross-origin 429 responses so browser JS could honor the server's back-off instead of falling back to a fixed-delay retry. The README's "HTTP conventions" section listed the RateLimit-* trio but never mentioned Retry-After, so SDK authors reading the doc wouldn't know the field was available. Add a bullet describing the header, what it means, and the CORS exposure rationale (Retry-After is NOT on the CORS safelisted- response-headers set, so the project's expose-headers list is what makes it readable cross-origin). Co-Authored-By: Claude Opus 4.7 (1M context) --- README.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/README.md b/README.md index 1f38c4d..cf69b69 100644 --- a/README.md +++ b/README.md @@ -66,6 +66,11 @@ Working example at [node.timetrackerapi.com](http://node.timetrackerapi.com). propagate trace context from a reverse proxy / mesh. - **`RateLimit-*` (response headers, RFC standard)** — `RateLimit-Limit`, `RateLimit-Remaining`, `RateLimit-Reset` on every /v1/* response. +- **`Retry-After` (response header on 429, RFC 7231)** — seconds the + client should wait before retrying when the quota is exhausted. + Cross-origin browser JS can read this via the CORS expose-headers + list (it's not on the CORS safelist) so SDKs can honor the server's + back-off instead of falling back to a fixed-delay retry. - Browser JS reading any of the above on a cross-origin response works out-of-the-box: the CORS layer's `Access-Control-Expose-Headers` covers them.