Rate Limiting

Endpoint Rate Limits

Endpoint	Limit	Window
POST /api/v1/auth/login	5	1 minute
POST /api/v1/auth/register	3	1 minute
POST /api/v1/auth/refresh	10	1 minute
POST /auth/email/send-verification	1000	1 minute
POST /auth/email/send-reset-password	1000	1 minute

---

Public Tracking Rate Limit

Endpoint	Limit	Window
GET /api/v1/track/{tracking_id}	60	1 minute

Per IP address.

---

Rate Limits by Pricing Tier

Tier	API Rate Limit
STARTER	100/min
GROWTH	500/min
SCALE	1000/min
ENTERPRISE	Custom

---

Response Headers

When rate limit is applied, responses include:

X-RateLimit-Limit: 100
X-RateLimit-Remaining: 95
X-RateLimit-Reset: 1704067200

---

Rate Limit Exceeded Response

{
  "detail": "Rate limit exceeded: 5 per 1 minute"
}

HTTP Status: 429 Too Many Requests

---

Implementation

Backend rate limiting uses in-memory storage with cleanup:

RATE_LIMITS = {
    "login": (5, 60),      # 5 per 60 seconds
    "register": (3, 60),
    "refresh": (10, 60),
    "send_verification": (1000, 60),
    "send_reset": (1000, 60),
    "tracking": (60, 60),  # Public tracking: 60/min
}

Frontend tracking page rate limiting:

# 30 requests per minute for tracking page
rate_limiter = RateLimiter(max_requests=30, window_seconds=60)

---

Configuration

# Environment variables
RATE_LIMIT_TRACKING=60/minute