Rate limits
Where limits apply
Section titled “Where limits apply”Every unauthenticated endpoint has a rate limit. Authenticated endpoints have generous per-user limits to protect the brain, not the user.
Per-IP
Section titled “Per-IP”| Endpoint | Limit |
|---|---|
POST /api/v1/auth/login | 5 / min |
POST /api/v1/auth/password-reset-request | 5 / min |
POST /api/v1/auth/password-reset-complete | 10 / hour |
POST /api/v1/auth/invite-accept | 10 / min |
POST /setup | 3 / hour |
GET /invite/* | 20 / min |
Per-email
Section titled “Per-email”Additional bucket to prevent attacker-controlled IPs from brute-forcing one email:
| Endpoint | Limit |
|---|---|
POST /auth/login | 10 / min per email |
POST /auth/password-reset-request | 3 / hour per email |
Per-user
Section titled “Per-user”Applied after authentication:
| Endpoint | Limit |
|---|---|
POST /api/v1/tasks/bulk-retry | 10 / min |
POST /api/v1/queues/*/purge | 10 / hour |
POST /api/v1/memberships/invite | 20 / hour |
Headers
Section titled “Headers”Every response includes:
X-RateLimit-Limit- the bucket maxX-RateLimit-Remaining- calls leftX-RateLimit-Reset- epoch seconds when the bucket refills
On 429 Too Many Requests, a Retry-After header gives seconds to wait.
Implementation
Section titled “Implementation”Token-bucket per bucket. Storage: in-process for single-replica; switches to Postgres-backed for multi-replica (v1.1).
Tuning
Section titled “Tuning”All limits are in-code defaults. Customization requires a PR in v1.0; configurability is on the v1.x roadmap.
Bypass (internal)
Section titled “Bypass (internal)”Health / metrics endpoints are not rate limited - scraping is expected.