The important question is not how long to wait between attempts. It is whether the action can safely happen twice.
Set a Clear Retry Policy First
A retry policy needs four parts:
- Which failures qualify for a retry
- How many attempts are allowed
- How long the integration waits between attempts
- Where the run goes after the last attempt fails
Keeping the policy narrow prevents a temporary API outage from turning into a flood of repeated requests, duplicate records, or long-running workflows that block newer work.
| Failure signal | Default action | Reason |
|---|---|---|
| Connection reset, DNS failure, temporary network timeout | Retry | The request may not have reached the destination. |
| HTTP 408 Request Timeout | Retry with backoff | The server did not complete the request in time. |
| HTTP 429 Too Many Requests | Wait, then retry | The destination is rate-limiting requests. |
| HTTP 500, 502, 503, 504 | Retry with backoff | These responses commonly indicate a temporary server or gateway problem. |
| HTTP 400, 401, 403, 404, 422 | Fail immediately | The request, credentials, permissions, route, or data needs correction. |
| HTTP 409 Conflict | Resolve the conflict before retrying | Repeating the request can overwrite newer data or create a duplicate update. |
Apply limits at both the API-step level and the workflow level. An individual API call may get three or four retries, but a workflow that calls several services also needs a total time or attempt limit. Otherwise, several modest retry settings can combine into a workflow that runs for far too long.
After the final failed attempt, route the work somewhere visible: a dead-letter queue, failed-run folder, exception list, or alert channel. Retries can recover from short outages. They cannot repair invalid data, expired credentials, or an API contract that has changed.
Choose the Right Backoff Pattern
Exponential backoff with jitter is a strong default for shared APIs and busy integrations. Fixed delays can work for low-volume internal tasks, but they become risky when many runs fail at the same time.
Here is how the common delay patterns differ:
- Fixed backoff: Retry every 60 seconds. It is easy to understand, but failed jobs tend to retry together and create another spike of traffic.
- Linear backoff: Retry after 30, 60, 90, and 120 seconds. This spreads requests somewhat but continues applying steady pressure to an unavailable service.
- Exponential backoff: Retry after 30, 60, 120, and 240 seconds. The wait grows quickly, giving a short outage time to clear without repeatedly hitting the destination.
- Exponential backoff with jitter: Add randomness to the delay. A planned 120-second retry might wait anywhere from zero to 120 seconds.
Jitter matters when many workflows call the same API. Without it, a rate limit or service interruption can cause large groups of runs to retry at the exact same second. That synchronized wave can trigger another rate limit or prolong the outage.
A useful approach is full jitter: calculate the exponential delay, then choose a random wait between zero and that delay. AWS documents this pattern for reducing contention during repeated retries, and the same principle applies to concurrent integration jobs.
Honor Retry-After whenever an API sends it. This header tells the client how long to wait, particularly after rate limits and some service-unavailable responses. If the server asks for a longer pause than the local schedule would use, wait for the server-directed interval.
Protect Write Operations From Duplicates
Every retry of a write operation can create a duplicate result unless the destination handles repeated requests safely.
A timeout does not prove that the destination failed. The integration may have lost the response after the destination created a contact, invoice, order, support ticket, or payment request. Retrying immediately can create a second copy.
Put one of these protections in place before retrying create, update, or payment-related actions:
- Send an idempotency key that stays the same for every retry of the same action.
- Save the destination record ID after a successful write.
- Search for an existing record using a unique external ID before creating a new one.
- Use an upsert action instead of separate create and update actions.
- Send work through a queue with a consumer that records completed message IDs.
Without these safeguards, retries can create expensive cleanup work: duplicate CRM records, duplicate orders, repeated notifications, and conflicting downstream data.
Read-only requests carry less duplicate risk, but they still need limits. Retrying a long reporting query can occupy execution capacity and cause a backlog behind it.
Use More Advanced Controls Where Failure Is Costly
A basic retry policy is often enough for a low-volume notification flow with limited downstream impact. A short retry schedule and a clear failed-run alert can keep that kind of workflow manageable.
More detailed controls matter when an integration handles money movement, inventory, identity records, regulated data, or a high volume of API traffic. In these cases, endpoint-specific retry rules, header-aware waits, configurable jitter, dead-letter routing, replay controls, and detailed attempt logs help prevent costly mistakes.
Add those controls when any of the following is true:
- One workflow calls several APIs with different rate limits.
- The destination applies quotas per minute, user, or access token.
- A failed run must restart from one step instead of replaying the entire workflow.
- A user needs to correct data and resume the run without recreating earlier records.
- A short outage creates a large backlog of pending work.
Avoid building elaborate retry branches for rare, low-impact failures. Every error path needs monitoring and maintenance when an API changes response formats, authentication rules, or rate-limit behavior.
Watch Retry Load as Traffic Grows
A retry policy that works for ten runs per hour can behave badly at 10,000 runs per hour. Revisit the settings after traffic growth, recurring failures, or API changes.
Track these operational signals:
- Retry rate: A sustained increase often points to an API issue, credential problem, or data-quality problem.
- Final failure rate: If final failures rise, backoff is delaying the issue rather than recovering it.
- Queue age: The age of the oldest queued message shows whether the system is catching up after an outage.
- Duplicate-event rate: An increase signals that idempotency or deduplication controls need attention.
Keep attempt-level logs with a correlation ID, destination response code, delay used, and final outcome. A generic “workflow failed” message does not show whether the cause was a 429 rate limit, an expired token, or an invalid field.
Also revisit retry rules after an API version change or updated rate-limit policy. A destination may reduce an endpoint quota, change timeout behavior, or require a new authentication flow. If the integration is not updated, retries can bury the real problem under repeated failures.
Set Timeouts, Rate Limits, and Workflow Limits Together
Retries, timeouts, and rate limits need to work together. A poorly chosen timeout can cause retries that were never necessary.
For each endpoint, establish these rules:
- Identify which status codes represent temporary failures.
- Record whether the API sends
Retry-After, rate-limit headers, or reset timestamps. - Set the client timeout below the integration tool’s total execution timeout.
- Keep the retry window inside the workflow’s maximum run duration.
- Determine whether write requests accept an idempotency key.
- Decide whether only the failed API step retries or whether the full workflow restarts.
- Assign an alert owner for runs that exhaust the retry budget.
Timeouts deserve particular attention. A 30-second client timeout paired with a destination that normally completes a request in 45 seconds creates avoidable retries. In that situation, extending the client timeout is safer than repeatedly sending the same request.
Use a Queue, Correction Flow, or Circuit Breaker When Retries Are the Wrong Tool
Automatic retries are not a fix for every failure.
Use a correction workflow for malformed fields, missing required values, rejected business rules, and other data problems. Send the failed payload to a review location where a person or validation process can correct it before resubmission.
Use a queue when incoming traffic arrives faster than the destination can accept it. A queue smooths bursts, separates ingestion from processing, and lets workers slow down or pause without losing incoming events.
Use a circuit breaker when a service repeatedly returns 5xx responses. After a defined number of failures, stop sending new requests for a cooldown period. This protects the integration platform and the failing destination from a growing stack of requests with little chance of succeeding.
Authentication failures, permission errors, invalid routes, and extended outages should also leave the retry path quickly. Repeating a 401 or 403 response does not repair the connection. It only delays the credential or permission fix.
Retry Configuration Checklist
Before enabling retries, set the policy in writing:
- Retry only network failures, HTTP 408, HTTP 429, and selected HTTP 5xx responses.
- Start with three or four retries rather than unlimited attempts.
- Use exponential delays such as 30, 60, 120, and 240 seconds.
- Add jitter when many runs call the same API.
- Honor
Retry-Afterand rate-limit reset values. - Cap the full workflow retry window.
- Protect writes with idempotency keys, unique external IDs, or upserts.
- Route final failures to a queue, failed-run list, or review process.
- Alert on repeated final failures rather than every individual retry.
- Log the response code, attempt number, delay, and correlation ID.
Mistakes to Avoid
Retrying every error code
Retried 401 responses still fail until credentials are refreshed. Retried 422 responses still fail until the payload is corrected. Limit retries to failures that have a realistic chance of clearing on their own.
Using one fixed delay for every job
A fixed 60-second timer can look tidy in a small workflow. At scale, it creates synchronized retries after an outage and sends another burst of traffic to the same struggling API.
Restarting the entire workflow after one failed request
If earlier steps already completed, replaying the whole workflow can resend emails, recreate records, or repeat transactions. Retry the failed step where the integration tool supports step-level recovery.
Hiding final failures inside the retry setting
A retry policy without an alert, queue, or review path turns a temporary failure into silent data loss. Someone needs a clear way to see, correct, and replay unresolved work.
Bottom Line
Use three or four exponential retries with jitter for temporary API failures. Honor server-provided delays, protect write operations from duplication, and stop automatic retries after the defined budget.
The goal is not to keep retrying until something succeeds. It is to recover from short interruptions without creating duplicate work or hiding failures that need attention.
Decision Checklist
| Check | Why it matters | What to confirm before choosing |
|---|---|---|
| Fit constraint | Keeps the guidance tied to the real setup instead of generic tips | Size, compatibility, timing, budget, skill level, or storage limits |
| Wrong-fit signal | Shows when the default answer is likely to disappoint | The setup, upkeep, storage, or follow-through requirement cannot be met |
| Lower-risk next step | Turns the guide into an action plan | Measure, compare, test, verify, or choose the simpler path before committing |
FAQ
How many retries should an integration use?
Three or four retries is a practical starting point for most API calls. That gives short network and service interruptions time to clear without keeping a workflow open for too long. Increase the count only when the destination has longer recovery windows and the action is safe to repeat.
What is a good backoff schedule?
A 30, 60, 120, and 240-second schedule is a useful starting point. Add jitter for shared APIs or high-volume workflows so failed jobs do not retry in synchronized waves.
Should HTTP 429 errors be retried?
Yes. Retry HTTP 429 responses after the API’s Retry-After delay or rate-limit reset time. When the API does not provide a wait period, use exponential backoff with jitter and reduce concurrency where the integration tool allows it.
Should a timeout be retried?
A timeout can be retried, but write actions need duplicate protection first. A timeout does not prove that the destination failed to process the request, so use an idempotency key, external reference ID, or upsert method before repeating a create or payment-related action.
What should happen after the final retry fails?
Send the run to a dead-letter queue, failed-run list, or alertable exception process. Include the original payload, response code, error message, attempt count, and correlation ID so the issue can be corrected or replayed without guesswork.