Feature: Rate Limiting

To ensure the stability and security of the API, the server includes a built-in rate-limiting feature. This system automatically tracks the number of requests from a given source and blocks further requests if they exceed a configured limit within a specific time window.

This is crucial for preventing abuse, such as brute-force attacks on the authentication endpoints or overly aggressive polling of the data API.

How It Works

The rate-limiting mechanism is implemented as a middleware that runs on specific routes. It uses a different strategy for identifying clients depending on the endpoint’s sensitivity and authentication requirements.

There are two distinct rate-limiting configurations applied to different parts of the API:

IP-Based Limiting for Sensitive Unauthenticated Endpoints:
- Target: The /api/v1/auth/request-code endpoint.
- Identification: Requests are tracked by the client’s IP address.
- Purpose: This endpoint is unauthenticated and triggers a costly action (sending an email). The rate limit is strict to prevent anonymous users from spamming the service.
- Default Limit: 3 requests per IP address per 24 hours.
User-Based Limiting for Authenticated Endpoints:
- Target: All endpoints under /api/v1/data.
- Identification: Requests are tracked by the authenticated user’s ID.
- Purpose: This provides a generous limit for general application usage while still protecting the server from excessively frequent requests from a single authenticated user.
- Default Limit: 1000 requests per user per 60 minutes.

Configuration

These limits are configurable via environment variables, allowing you to adjust them for your specific production needs. For details, see the Configure Environment Variables guide.

Error Response

When a client exceeds a rate limit, the API will respond with an HTTP 429 Too Many Requests status code and the following error payload:

{
  "error": {
    "code": "tooManyRequests",
    "message": "You have made too many requests. Please try again later."
  }
}