Rate Limiting
The API uses token bucket rate limiting with three tiers. Rate limits are per-IP for public endpoints and per-user for push endpoints.
Tiers
| Tier | Endpoints | Default Rate | Default Burst |
|---|---|---|---|
| public | Rendered pages (/s/, /p/, /@), docs |
10 req/sec | 150 |
| auth | Register, challenge, verify, account destroy | ~10 req/min | 5 |
| push | Session push, plan push (per user) | 10 req/sec | 150 |
Behavior
When you exceed the rate limit, the server returns 429 Too Many Requests. The token bucket refills at the configured rate, so brief bursts are allowed up to the burst limit.
IP detection
By default, the rate limiter uses the connecting IP address.
WebSocket rate limiting
WebSocket reaction endpoints have an additional per-connection rate limit of 3 messages per second. Excess messages are silently dropped (no error response).