Rate Limiting
Protect authentication endpoints from abuse using built-in rate limiting.
Tzylo Auth CE includes built-in rate limiting to protect authentication endpoints from abuse and brute-force attacks.
Rate limiting is enabled by default and requires no additional setup.
Why rate limiting exists
Authentication endpoints are common targets for abuse. Rate limiting helps:
- Prevent brute-force password attempts
- Reduce automated abuse
- Protect infrastructure from excessive load
Protected endpoints
Rate limiting is applied to sensitive endpoints such as:
POST /loginPOST /registerPOST /send-otpPOST /verify-otpPOST /forgot-password
How it works
Requests are tracked per client over a short time window. When the limit is exceeded, further requests are temporarily rejected.
Exact thresholds are chosen to balance usability and security.
Storage backend
Rate limiting state is stored using:
- Redis (when configured)
- In-memory storage (fallback)
Configuration
Rate limiting can be controlled using environment variables:
RATE_LIMIT=true
RATE_LIMIT_ENABLED=trueDisabling rate limiting is not recommended for production environments.
Error responses
When a rate limit is exceeded, the server responds with an appropriate HTTP error status.
Clients should treat these responses as temporary and retry after a delay.