Rate limits

The API applies per-tenant and per-endpoint limits to ensure fair usage and stability.

General API (per tenant)

After authentication, tenant-scoped requests are limited by a sliding window:

• Default: 100 requests per 60 seconds per tenant.
• Controlled by server env: RATE_LIMIT_TTL (window in seconds), RATE_LIMIT_LIMIT (max requests per window).
• When exceeded, the API returns 429 Too Many Requests. Retry after the window resets.

Login

Login attempts are rate-limited per email to reduce brute-force risk:

• Default: 5 attempts per window (same TTL as above, or configured separately).
• Env: RATE_LIMIT_LOGIN.

AI endpoints

AI-related endpoints (app generation, content suggestions, theme suggestions, etc.) have a separate per-tenant limit (e.g. requests per minute). When exceeded, the API returns an error indicating to try again later. Exact limits may vary by plan or feature flags.

Best practices

• Use pagination (page, limit) for list endpoints to avoid large responses.
• Cache responses where appropriate (e.g. app list, template list).
• Handle 429 by backing off and retrying with exponential backoff.
• Use API keys for server-to-server integration so you don't hit login limits.