Rate limits in an HTTP API are essential for protecting services against abuse and brute force attacks by restricting the number of requests a client can make within a specified time period. By enforcing rate limits, we can mitigate the risk of unauthorized access, denial of service attacks, and excessive consumption of resources.

Limits work by setting a maximum number of requests (burst amount) allowed for a key within a specified time frame (recovery time). For example, with a limit of 30 requests and a recovery time of 5 minutes, a user can make up to 30 requests before hitting the limit. Additionally, the user receives an extra request every 10 seconds (5 * 60 / 30) until reaching the limit.

GraphQL/Storage/Functions

You can rate-limit the GraphQL, Storage, and Functions services independently of each other. These rate limits are based on the client IP, and requests made to one service do not count toward the rate limits of another service.

Configuration

Project Dashboard -> Settings -> Rate Limiting

Auth

Given that not all endpoints are equally sensitive, Auth supports more complex rate-limiting rules, allowing you to set different configurations depending on the properties of each endpoint.

EndpointsKeyLimitsDescriptionMinimum version
Any that sends emails1Global10 / hourNot configurable. This limit applies to any project without custom SMTP settings0.33.0
Any that sends emails1Client IP10 / hourConfigurable. This limit applies to any project with custom SMTP settings and is configurable0.33.0
Any that sends SMS2Client IP10 / hourConfigurable.0.33.0
Any endpoint that an attacker may try to brute-force. This includes sign-in and verify endpoints3Client IP10 / 5 minutesConfigurable0.33.0
Signup endpoints4Client IP10 / 5 minutesConfigurable0.33.0
AnyClient IP100 / minuteThe total sum of requests to any endpoint (including previous ones) can not exceed this limit0.33.0

Limits are grouped within a given category. For instance, with a limit of 10 per hour for the sign-in/verify category, if a user attempts to sign in 10 times and then tries to verify an OTP code, the latter will be rate-limited alongside the sign-in attempts.

1 Paths included:

  • /signin/passwordless/email
  • /user/email/change
  • /user/email/send-verification-email
  • /user/password/reset
  • /signup/email-password - If email verification enabled
  • /user/deanonymize - If email verification enabled

2 Paths included:

  • /signin/passwordless/sms

3 Paths included:

  • /signin/*
  • */verify
  • */otp

4 Paths included:

  • /signup/*

Configuration

Project Dashboard -> Settings -> Rate Limiting