Rate Limits

The platform already implements a three-tier rate limiter: IP burst protection, per-agent sliding windows, and per-tenant quotas, with standard limit headers in responses.

Start Free Trial Book Demo

Rate limits

The rate-limit model is already implemented in three layers.

The codebase currently uses a distributed rate limiter with an Upstash Redis-backed path and an in-memory fallback. Public copy should describe the actual model instead of pretending rate limiting is a generic afterthought.

Tier 1

IP burst guard

Default: 120 requests per minute per IP. Applied before authentication to protect the platform from unauthenticated request bursts.

Tier 2

Per-agent sliding window

Default helper: 60 requests per minute per agent or route identifier, with route-level customization available in the code.

Tier 3

Per-tenant quota

Default helper: 5000 requests per hour per tenant to stop one org from overwhelming shared platform capacity.

Standards-friendly headers Responses include standard limit headers such as X-RateLimit-Limit, X-RateLimit-Remaining, and Retry-After.
Backend resilience If Redis is degraded, the limiter falls back to an in-memory path so protection does not disappear entirely.
Route awareness These are framework defaults, not a claim that every single route uses the same exact numbers.

Need the API behavior mapped by route class?

Use the API and authentication pages alongside this one if you are reviewing how browser, agent, and automation traffic is handled in the platform.

Open API Authentication