To protect the platform from abuse and ensure fair usage, rate limiting is enforced by default on an IP-address basis. If a client exceeds the allowed number of requests within the specified time window, the API will return a 429 Too Many Requests status code.

Default Rate Limits

The following rate limits apply to various endpoints:
EndpointRate LimitTime Window
POST /login30 requests15 minutes
POST /signup30 requests60 minutes
POST /verify-email10 requests60 minutes
POST /forgot-password5 requests60 minutes
GET /client-side-api100 requests1 minute
POST /share100 requests60 minutes
If a request exceeds the defined rate limit, the server will respond with:
{
  "code": 429,
  "error": "Too many requests, Please try after a while!"
}

Disabling Rate Limiting

For self-hosters, rate limiting can be disabled if necessary. However, we strongly recommend keeping rate limiting enabled in production environments to prevent abuse. To disable rate limiting, set the following environment variable:
RATE_LIMITING_DISABLED=1
After making this change, restart your server to apply the new setting.