Source:equa-server/modules/api/src/endpoints/auth-endpoints.ts(registration IP limit),equa-server/modules/agent/src/endpoints/agent-endpoints.ts(agent guardrails)
Rate Limiting
The Equa API does not currently implement a global rate-limiting middleware. However, there are built-in safeguards on specific operations to prevent abuse.Existing Safeguards
Registration IP Limit
New account registrations are throttled by IP address.| Variable | Default | Description |
|---|---|---|
REGISTRATION_IP_LIMIT | 20 | Maximum registrations allowed from a single IP |
POST /v1/user) uses request-ip middleware to capture the client IP and enforce this limit.
Email Verification Cooldown
Re-sending verification emails is throttled to prevent abuse.| Variable | Default | Description |
|---|---|---|
EMAIL_VERIFICATION_LIMIT_SECONDS | 1800 | Minimum seconds between verification email resends (30 minutes) |
Recommendations for API Consumers
Even without server-side rate limiting, clients should implement reasonable request patterns:- Avoid polling loops faster than once per second
- Debounce user-triggered searches and availability checks
- Cache responses where data does not change frequently (e.g., billing products, organization features)
- Use exponential backoff when retrying failed requests
Future Rate Limiting
Rate limiting middleware is planned for future releases. When implemented, rate-limited responses will return:Agent API Limits
The Agent (Equanaut) endpoints have their own built-in rate controls:| Setting | Default | Description |
|---|---|---|
AGENT_MAX_TOOL_CALLS_PER_MINUTE | 30 | Maximum tool calls the agent can make |
AGENT_MAX_WRITE_OPS_PER_MINUTE | 10 | Maximum write operations per minute |
AGENT_MAX_DESTRUCTIVE_PER_HOUR | 5 | Maximum destructive actions per hour |