Rate Limiting
The Partner API Gateway implements per-partner rate limiting to prevent abuse and ensure fair usage.
Rate Limit Configuration
Rate limits are configured per partner and can be set for:
- Per Minute: Maximum requests per 60 seconds
- Per Hour: Maximum requests per 3600 seconds
- Per Day: Maximum requests per 86400 seconds
Default Limits:
- Requests per minute: 100
- Requests per hour: 1000
- Requests per day: 10000
Implementation
File: packages/api/src/middleware/rate-limit.ts
Storage
Rate limiting uses Cloudflare KV for distributed state:
- Keys:
rate_limit:{partnerId}:{period}:{timeWindow} - TTL: Automatically expires based on period
- Atomic increments for thread-safe counting
Fallback
If KV is not available, rate limiting is skipped (not recommended for production).
Rate Limit Headers
Responses include rate limit headers:
X-RateLimit-Limit-Minute: Maximum requests per minuteX-RateLimit-Limit-Hour: Maximum requests per hourX-RateLimit-Limit-Day: Maximum requests per day
Error Response
When rate limit is exceeded:
{
"error": "Rate limit exceeded",
"message": "Maximum 100 requests per minute",
"retryAfter": 5000
}Status code: 429 Too Many Requests
Configuration
Rate limits are configured in partner configuration:
- Stored in D1 database (future enhancement)
- Currently uses default values
- Can be customized per partner tier