Protecting your service against abuse
Endpoints | Key | Limits | Description | Minimum version |
---|---|---|---|---|
Any that sends emails1 | Global | 10 / hour | Not configurable. This limit applies to any project without custom SMTP settings | 0.33.0 |
Any that sends emails1 | Client IP | 10 / hour | Configurable. This limit applies to any project with custom SMTP settings and is configurable | 0.33.0 |
Any that sends SMS2 | Client IP | 10 / hour | Configurable. | 0.33.0 |
Any endpoint that an attacker may try to brute-force. This includes sign-in and verify endpoints3 | Client IP | 10 / 5 minutes | Configurable | 0.33.0 |
Signup endpoints4 | Client IP | 10 / 5 minutes | Configurable | 0.33.0 |
Any | Client IP | 100 / minute | The total sum of requests to any endpoint (including previous ones) can not exceed this limit | 0.33.0 |
/signin/passwordless/email
/user/email/change
/user/email/send-verification-email
/user/password/reset
/signup/email-password
- If email verification enabled/user/deanonymize
- If email verification enabled/signin/passwordless/sms
/signin/*
*/verify
*/otp
/signup/*