Rate Limiting
The gateway enforces per-user rate limits to prevent abuse and ensure fair usage across your organization. Rate limits use a KV-backed sliding window counter with configurable thresholds and standard HTTP headers.
How It Works
Each authenticated user has a request counter tracked in Cloudflare KV. When a request arrives, the gateway:
- Looks up the user's current request count for the active window
- If the count is below the threshold, increments the counter and processes the request
- If the count has reached the threshold, returns a
429 Too Many Requestsresponse
Configuration
Rate limits are configured per-tenant in the Portal gateway admin:
| Setting | Description | Default |
|---|---|---|
| Window | The time window for counting requests | 1 minute |
| Threshold | Maximum requests per user per window | 60 |
Response Headers
Every API response includes standard rate limit headers:
| Header | Description | Example |
|---|---|---|
X-RateLimit-Limit | Maximum requests allowed per window | 60 |
X-RateLimit-Remaining | Requests remaining in the current window | 42 |
X-RateLimit-Reset | Unix timestamp when the window resets | 1713100380 |
429 Response
When rate limited, the API returns:
HTTP/1.1 429 Too Many Requests
Content-Type: application/json
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 0
X-RateLimit-Reset: 1713100380
Retry-After: 23
{
"error": {
"code": "rate_limited",
"message": "Rate limit exceeded. Retry after 23 seconds."
}
} Tip: Use the Retry-After header to implement backoff in
your applications. It tells you how many seconds to wait before retrying.
Rate Limits by Plan
| Plan | Requests per Minute |
|---|---|
| Free | 20 |
| Pro | 60 |
| Enterprise | Custom |
Next Steps
- Configure rate limits in the Portal gateway admin
- Monitor rate limit events in the audit log
- Set up cost controls for budget management