Rate Limiting
Rate limiting protects the API from abuse and ensures fair usage across all consumers. Limits are enforced at multiple levels: per API key, per authentication route, and per usage tracking.
API Key Rate Limiting
The ApiKeyRateLimiter middleware enforces per-key rate limits based on the rate_limit_per_minute field on the ApiKey model.
- Each API key has its own rate limit, set at creation time
- The default limit is determined by the organization's subscription plan
- When the limit is exceeded, a
429 Too Many Requestsresponse is returned - Response headers include rate limit metadata:
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 42
X-RateLimit-Reset: 1672531260Auth Route Rate Limits
Authentication routes have stricter limits to prevent brute-force attacks:
- Login: 10 requests per minute per IP
- Password reset: 5 requests per minute per IP
- MFA verification: 5 requests per minute per IP
- Magic link: 5 requests per minute per IP
These limits are configured in bootstrap/app.php using Laravel's built-in rate limiter and apply regardless of authentication method.
Usage Tracking
The TrackApiUsage middleware records usage metrics for every API key request:
- Tracks total requests per key over time
- Records endpoint, response status, and timestamp
- Data is available via the admin panel for monitoring
- Can be used for usage-based billing calculations
Usage tracking runs asynchronously and does not add latency to API responses.