How Rate Limiting Works
Boottify applies rate limiting to all 23 authentication-related API endpoints. This prevents brute force attacks, credential stuffing, and abuse of password reset flows.
The 5 Tiers
Each endpoint is assigned one of five rate limiting tiers based on its sensitivity:
- Strict — 3 requests per 15 minutes. Applied to sign-in and forgot-password endpoints.
- Tight — 5 requests per 15 minutes. Applied to sign-up and password reset.
- Standard — 10 requests per 15 minutes. Applied to 2FA verification and setup.
- Relaxed — 20 requests per 15 minutes. Applied to OAuth callback routes.
- Lenient — 30 requests per 15 minutes. Applied to session management endpoints.
What Happens When You're Rate Limited
When you exceed the rate limit for an endpoint, you'll receive an HTTP 429 Too Many Requests response. The response includes headers that tell you:
X-RateLimit-Limit— Maximum requests allowed in the windowX-RateLimit-Remaining— Requests remaining in the current windowX-RateLimit-Reset— Unix timestamp when the window resetsRetry-After— Seconds to wait before retrying
What to Do If Rate Limited
If you see a "Too many requests" error:
- Wait for the time indicated in the error message before trying again.
- Check that you're entering the correct credentials — repeated failures consume your limit faster.
- If you've forgotten your password, use the "Forgot Password" link rather than guessing.
- Contact support if you believe you've been rate limited incorrectly.
Why Rate Limiting Matters
Without rate limiting, attackers could attempt thousands of password combinations per minute. The strict tier on sign-in (3 attempts per 15 minutes) makes brute force attacks impractical while still allowing legitimate users to correct typos.