Rate Limiting

Rate Limiting

To protect the API from abuse and expensive queries the following multi-layer strategy is planned (drawn from api-security-guidelines.md).

1. Query Depth & Cost Analysis

• Maximum depth: 8 levels (configurable).
• Field cost map assigns weights; default allowance 1000 units per request.
• Requests breaching limits receive GraphQL error with code RATE_LIMITED.

2. HTTP Request Throttling

| Tier | Limit | Window | |——|——-|——–| | Public/Unauthenticated | 20 reqs | 1 minute | | Authenticated User | 120 reqs | 1 minute | | System Integrations | 600 reqs | 1 minute | Limits enforced at API gateway (e.g., Cloudflare or FastAPI middleware).

3. WebSocket Subscriptions

• Connection limit per user: 3 concurrent sockets.
• Message rate capped to 30 msgs/sec; excess messages buffered or dropped.

4. Abuse Response

• Exponential back-off + Retry-After header where applicable.
• Repeated violations flagged in audit log and can trigger account suspension.

Status: skeleton v0.1 – detailed algorithm & gateway configuration pending.