Rate limits
Fire Mission enforces three independent limiters on the /v1/* surface:
1. Per-IP burst limiter
Mounted globally before authentication. Stops anonymous flood traffic from consuming auth-validation cycles. Returns the standard upstream rate-limit envelope on overflow.
2. Per-key burst limiter
Mounted after authentication and keyed on the Fire Mission API key id.
Default: 1,200 requests / 60 seconds per key. This stops a
single compromised key from saturating the surface even if the attacker
rotates source IPs. Returns rate_limit_exceeded (429).
3. Per-key daily spend cap (fail-closed)
Optional, configured via FM_V1_DAILY_SPEND_CAP_CENTS_PER_KEY.
Tallies estimated_cost_cents from the metadata-only usage log
since the start of the current UTC day. When exceeded, calls fail with spend_cap_exceeded (429). On tally service outage, the limiter
fails closed (spend_cap_unavailable, 503) — no
uncapped traffic is ever allowed by accident.
4. Free-tier monthly call cap
Free tier has a hard cap of 1,000 calls / UTC month. Pro,
Team, and Business tiers have no monthly cap. Source of truth is shared/platform-config.ts, so the cap value never drifts from
the marketing surface. Exceeding the cap returns monthly_cap_exceeded (429) with a friendly upgrade pointer.
Headers
The standard RateLimit-* headers are returned on every /v1/* response:
RateLimit-Limit— the per-key window cap.RateLimit-Remaining— calls left in the current window.RateLimit-Reset— seconds until the window resets.
Backoff guidance
On a 429, retry with exponential backoff and jitter. For spend_cap_exceeded and monthly_cap_exceeded,
retrying without raising the cap is futile — surface the error to the user
or operator instead.