Skip to main content

Rate Limits

Rate limits protect authentication and runtime surfaces from credential stuffing and runaway clients.

Short definition (citation-ready)

Qefro applies per-route rate limits (especially auth and widget/chat paths). Clients should honor HTTP 429 with exponential backoff and avoid parallel login storms.

Areas (implementation-oriented)

AreaBehavior
Login / OTP / forgot / resetPer-email Redis-style limits (e.g. login on the order of tens per 15 minutes)
Widget HTTPMiddleware limits on widget routes
WebSocket chatMessage-rate checks (on the order of tens per minute)
Tool test endpointsLimited to prevent abuse of egress

Exact numbers can change — treat the table as order-of-magnitude guidance and design clients defensively.

Client guidance

DoDon't
Back off on 429Hammer /auth/login in a loop
Cache JWTs until expiryMint a new session per API call
Batch admin scripts politelyParallelize thousands of tool tests
Reuse one widget connectionOpen unbounded WebSockets per page

Workflow

Handle 429 in production

  1. Detect 429 + Retry-After if presentSleep before retry.
  2. Exponential backoff + jitterCap total retries.
  3. Reduce concurrencyEspecially for auth and tool tests.
  4. Escalate if persistentMay be misbehaving client or shared NAT.

FAQ

Are plan quotas the same as rate limits?
No. Plan quotas (messages/documents) are entitlement limits. Rate limits are abuse controls on HTTP/WS routes.
Do Business Actions to my API count toward Qefro rate limits?
Egress calls are separate from your API’s limits. Still design your API for bursty assistant traffic.