Rate Limits
Rate limits protect authentication and runtime surfaces from credential stuffing and runaway clients.
Short definition (citation-ready)
Qefro applies per-route rate limits (especially auth and widget/chat paths). Clients should honor HTTP 429 with exponential backoff and avoid parallel login storms.
Areas (implementation-oriented)
| Area | Behavior |
|---|---|
| Login / OTP / forgot / reset | Per-email Redis-style limits (e.g. login on the order of tens per 15 minutes) |
| Widget HTTP | Middleware limits on widget routes |
| WebSocket chat | Message-rate checks (on the order of tens per minute) |
| Tool test endpoints | Limited to prevent abuse of egress |
Exact numbers can change — treat the table as order-of-magnitude guidance and design clients defensively.
Client guidance
| Do | Don't |
|---|---|
| Back off on 429 | Hammer /auth/login in a loop |
| Cache JWTs until expiry | Mint a new session per API call |
| Batch admin scripts politely | Parallelize thousands of tool tests |
| Reuse one widget connection | Open unbounded WebSockets per page |
Workflow
Handle 429 in production
- Detect 429 + Retry-After if present — Sleep before retry.
- Exponential backoff + jitter — Cap total retries.
- Reduce concurrency — Especially for auth and tool tests.
- Escalate if persistent — May be misbehaving client or shared NAT.
FAQ
Are plan quotas the same as rate limits?
No. Plan quotas (messages/documents) are entitlement limits. Rate limits are abuse controls on HTTP/WS routes.
Do Business Actions to my API count toward Qefro rate limits?
Egress calls are separate from your API’s limits. Still design your API for bursty assistant traffic.