You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
- Clarify the identification strategies for different endpoint types
- Refine explanations of rate-limiting configurations
- Improve consistency and clarity in documentation
Copy file name to clipboardExpand all lines: src/content/docs/api-server/features/rate-limiting.mdx
+9-7Lines changed: 9 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -11,19 +11,21 @@ This is crucial for preventing abuse, such as brute-force attacks on the authent
11
11
12
12
### How It Works
13
13
14
-
The rate-limiting mechanism is implemented as a middleware that runs on specific routes. It uses the client's IP address to identify unauthenticated requests and the user's ID for authenticated requests.
14
+
The rate-limiting mechanism is implemented as a middleware that runs on specific routes. It uses a different strategy for identifying clients depending on the endpoint's sensitivity and authentication requirements.
15
15
16
16
There are two distinct rate-limiting configurations applied to different parts of the API:
17
17
18
-
1.**Sensitive Endpoint Limiting:**
18
+
1.**IP-Based Limiting for Sensitive Unauthenticated Endpoints:**
19
19
-**Target:** The `/api/v1/auth/request-code` endpoint.
20
-
-**Purpose:** This endpoint is more sensitive as it triggers an email to be sent. The rate limit here is intentionally strict to prevent spamming users with verification codes.
21
-
-**Default Limit:** 3 requests per 24 hours.
20
+
-**Identification:** Requests are tracked by the client's **IP address**.
21
+
-**Purpose:** This endpoint is unauthenticated and triggers a costly action (sending an email). The rate limit is strict to prevent anonymous users from spamming the service.
22
+
-**Default Limit:** 3 requests per IP address per 24 hours.
22
23
23
-
2.**General Data API Limiting:**
24
+
2.**User-Based Limiting for Authenticated Endpoints:**
24
25
-**Target:** All endpoints under `/api/v1/data`.
25
-
-**Purpose:** This provides a generous limit for general application usage while still protecting the server from excessively frequent requests from a single client.
26
-
-**Default Limit:** 1000 requests per 60 minutes.
26
+
-**Identification:** Requests are tracked by the authenticated **user's ID**.
27
+
-**Purpose:** This provides a generous limit for general application usage while still protecting the server from excessively frequent requests from a single authenticated user.
28
+
-**Default Limit:** 1000 requests per user per 60 minutes.
27
29
28
30
<Asidetype="note"title="Bypassing Limits">
29
31
Users with the `admin` or `publisher` role automatically bypass all rate limits, ensuring that administrative tasks are never blocked.
0 commit comments