Rate limits
Every server-side checkRateLimit({ key: ... }) entry in the platform.
On a 429 the response carries Retry-After (seconds) and the `Retry-After` header value.
| Surface | Limit | Key prefix | Applies to |
|---|---|---|---|
| MFA TOTP challenge (sign-in) | 10 / 5m | mfa-challenge: | Per source IP. |
| MFA recovery code (sign-in) | 5 / 5m | mfa-recovery-challenge: | Per source IP — tighter than TOTP since recovery codes are high-value. |
| WebAuthn challenge (sign-in) | 10 / 5m | webauthn-challenge: | Per source IP. |
| WebAuthn register (enrollment) | 5 / 1h | webauthn-register: | Per source IP — 5 enrollment attempts per hour. |
| WebAuthn autofill options (sign-in) | 30 / 5m | webauthn-autofill-options: | Per source IP — generous so tab switches / reloads on the login page don't trip the limit. |
| WebAuthn autofill verify (sign-in) | 10 / 5m | webauthn-autofill-verify: | Per source IP — matches /webauthn-challenge:; defends against credential-id enumeration. |
| Step-up challenge | 10 / 5m | step-up-challenge: | Per (tenantUserId, source IP). |
| Step-up WebAuthn verify | 10 / 5m | step-up-verify: | Per (tenantUserId, source IP). |
| Step-up TOTP verify | 10 / 5m | step-up-totp: | Per (tenantUserId, source IP). |
| SAML SP-initiated login | 20 / 1m | saml-login: | Per source IP — defeats AuthnRequest flooding. |
| SAML ACS (assertion consumer) | 20 / 1m | saml-acs: | Per source IP. |
| Developer-portal webhook verifier | 20 / 1m | dev-webhook-verify: | Per source IP — defends against using the endpoint as a free HMAC oracle. |
| Audit-prune manual run | 5 / 5m | audit-prune-runnow: | Per tenant — defeats button-smashing to brute-force evidence destruction. |