[Request]: Document users permissions rate limiting

[fredericDelaporte]

Summary

It seems there is some rate limiting on the Strapi login page by default. But I am unable to find information about it in the documentation.

I have looked here and even in the v4 version of the page.

Would it be possible to document it in users-permissions.md?

On the soon to be closed forum, I have found this message giving an example of configuration for Strapi v4, no idea if that does still apply for Strapi v5, and what are the units of the settings, to which endpoints it applies, ...

// path: ./config/plugins.js

module.exports = ({ env }) => ({
  'users-permissions': {
    config: {
      ratelimit: {
        interval: 60000,
        max: 100000
      }
    }
  }
});

Obviously this sample code seems to practically disable the rate limiting, though.

I have also found this CVE which implies there is actually a rate limiting in Strapi v4 at least on the login endpoint.

Why is it needed?

Some of our users have complained about 429 errors when attempting to login, and we had no clue about the cause.

We also have no mean to asses if we need to act on the rate limiting rule parameters, having no idea what they are. Is it IP based, so causing troubles when multiple users share the same IP? Something else? What is the default trigger? Time period considered, how many attempt triggers the blocking, ...?

We thought it was our own CloudFlare rules, but no event were to be seen there. And so, we have configured redundant rate limiting rules if Strapi already have its own, by lack of knowing it.

Suggested solution(s)

Document default rate limiting rules in place in Strapi:

• Which endpoints/features are rate limited by default?
• Which identifiers are used for consolidating the requests count?
• Which time period?
• Which max-count limit triggers the blocking?
• How can all of this be configured?

Related issue(s)/PR(s)

#226 seems to imply this feature was documented in Strapi v3.

[github-actions]

🤖 I've analyzed your question and here's what I found:

Hi there! Thank you so much for taking the time to raise this issue and for your thorough research into Strapi’s rate limiting behavior. We really appreciate your attention to detail and your commitment to improving the documentation for everyone in the community. 😊

Rate Limiting in Strapi Users & Permissions

Is there rate limiting on login endpoints?

Based on the current Strapi documentation, there is no explicit mention of built-in rate limiting for the Users & Permissions (end-user) authentication endpoints (such as /api/auth/local) in Strapi v5. The documentation does cover rate limiting for the admin panel’s authentication endpoints (i.e., for admin users logging into the admin panel), but not for the public Users & Permissions plugin endpoints used by end users.

Admin Panel Rate Limiting (Not End-User Auth)

For the admin panel, rate limiting is enabled by default and is configurable. Here are the default settings for the admin panel’s authentication endpoints:

• Enabled: true
• Interval: { min: 5 } (5 minutes)
• Max: 5 (max 5 requests per interval)
• Delay After: 1 (delays after the first request)
• Time Wait: 3000 (3 seconds)
• Prefix Key: ${userEmail}:${ctx.request.path}:${ctx.request.ip}
• Whitelist: [] (no IPs whitelisted by default)
• Store: MemoryStore (in-memory by default)

You can configure these in your config/admin.js file. More details and options are available in the admin panel configuration docs.

Users & Permissions Plugin (End-User Auth)

For the Users & Permissions plugin (which handles end-user login, registration, etc.), the official documentation does not currently describe any default rate limiting on endpoints like /api/auth/local. There is also no documented configuration for rate limiting these endpoints in Strapi v5 at this time. The sample code you found for v4 is not referenced in the v5 documentation, and there is no mention of a ratelimit config for the Users & Permissions plugin in the official docs.

What to do if you’re seeing 429 errors?

If your users are experiencing 429 errors on login endpoints, and you have confirmed it’s not from an external service (like Cloudflare), it may be due to a custom middleware, a plugin, or a legacy configuration. As of now, there is no documented, built-in rate limiting for end-user authentication endpoints in Strapi v5.

Next Steps & Suggestions

• If you believe there is undocumented rate limiting, or you are seeing 429s from a fresh Strapi v5 install, please let us know with more details so we can investigate further.
• For feature requests (such as adding or documenting rate limiting for end-user endpoints), you can submit ideas or upvote existing ones at feedback.strapi.io.
• For real-time help or to discuss with other users, the Strapi Discord and Forum are great resources.

Documentation Improvement

Your suggestion to document this in the users-permissions.md file is excellent. We’ll flag this for the documentation team to review and clarify the current behavior.

---

Summary of Answers to Your Questions:

• Which endpoints/features are rate limited by default?
  Only admin panel authentication endpoints are documented as rate limited by default.
• Which identifiers are used for consolidating the requests count?
  For admin panel: ${userEmail}:${ctx.request.path}:${ctx.request.ip}.
• Which time period?
  Default is 5 minutes for admin panel.
• Which max-count limit triggers the blocking?
  Default is 5 requests per 5 minutes for admin panel.
• How can all of this be configured?
  Via config/admin.js for the admin panel. No documented config for end-user endpoints.

If you have further details or logs about the 429 errors, please share them so we can help you troubleshoot further. Thank you again for helping make Strapi better for everyone!

---

If this turns out to be a product bug or undocumented core functionality, I’ll flag @pwizla for further review and possible transfer to the main Strapi repository.

Warm regards,
The Strapi Team

---

References:

• Admin panel rate limiting configuration
• Admin panel configuration examples

📚 Relevant documentation:

• Admin panel configuration - Authentication
• Admin panel configuration - Configuration examples
• Admin panel configuration - Rate limiting
• API configuration
• Community & Support
• Creating and adding a custom Users & Permissions provider
• Email
• Examples cookbook: Authentication flow with JWT - Enhanced Authentication with Session Management
• Plugins configuration
• Release notes - 5.8.0
• Role-Based Access Control (RBAC) - Plugins and Settings
• Users & Permissions
• Users & Permissions - API usage
• Users & Permissions - Code-based configuration
• Users & Permissions providers

---

ℹ️ This response was generated automatically. If this doesn't fully answer your question or if you need further assistance, please mention @pwizla in a comment and a human maintainer will help you.

You can also try our interactive AI chat for more detailed assistance.

💡 For feature requests or product feedback, visit feedback.strapi.io.

[fredericDelaporte]

Actually that was the admin panel rate limiting I was looking for, but I was not finding it. Still I do not understand with the default settings how a bunch of users could have been blocked simultaneously by this rate limiting, but that would be another issue than a documentation then.