Rate limits

Fire Mission enforces three independent limiters on the /v1/* surface:

1. Per-IP burst limiter

Mounted globally before authentication. Stops anonymous flood traffic from consuming auth-validation cycles. Returns the standard upstream rate-limit envelope on overflow.

2. Per-key burst limiter

Mounted after authentication and keyed on the Fire Mission API key id. Default: 1,200 requests / 60 seconds per key. This stops a single compromised key from saturating the surface even if the attacker rotates source IPs. Returns rate_limit_exceeded (429).

3. Per-key daily spend cap (fail-closed)

Optional, configured via FM_V1_DAILY_SPEND_CAP_CENTS_PER_KEY. Tallies estimated_cost_cents from the metadata-only usage log since the start of the current UTC day. When exceeded, calls fail with spend_cap_exceeded (429). On tally service outage, the limiter fails closed (spend_cap_unavailable, 503) — no uncapped traffic is ever allowed by accident.

4. Free-tier monthly call cap

Free tier has a hard cap of 1,000 calls / UTC month. Pro, Team, and Business tiers have no monthly cap. Source of truth is shared/platform-config.ts, so the cap value never drifts from the marketing surface. Exceeding the cap returns monthly_cap_exceeded (429) with a friendly upgrade pointer.

Headers

The standard RateLimit-* headers are returned on every /v1/* response:

  • RateLimit-Limit — the per-key window cap.
  • RateLimit-Remaining — calls left in the current window.
  • RateLimit-Reset — seconds until the window resets.

Backoff guidance

On a 429, retry with exponential backoff and jitter. For spend_cap_exceeded and monthly_cap_exceeded, retrying without raising the cap is futile — surface the error to the user or operator instead.