Rate Limiting

Authara includes built-in rate limiting to protect against:

brute-force login attempts
automated signup abuse

Limits are applied per:

IP address
email address

AUTHARA_RATE_LIMIT_LOGIN_IP_LIMIT

Maximum login attempts per IP.

Default:

AUTHARA_RATE_LIMIT_LOGIN_IP_WINDOW

Time window for IP-based login attempts.

Default:

1m

AUTHARA_RATE_LIMIT_LOGIN_EMAIL_LIMIT

Maximum login attempts per email.

Default:

AUTHARA_RATE_LIMIT_LOGIN_EMAIL_WINDOW

Time window for email-based login attempts.

Default:

1h

AUTHARA_RATE_LIMIT_SIGNUP_IP_LIMIT

Maximum signup attempts per IP.

Default:

AUTHARA_RATE_LIMIT_SIGNUP_IP_WINDOW

Time window for IP-based signup attempts.

Default:

1h

AUTHARA_RATE_LIMIT_SIGNUP_EMAIL_LIMIT

Maximum signup attempts per email.

Default:

AUTHARA_RATE_LIMIT_SIGNUP_EMAIL_WINDOW

Time window for email-based signup attempts.

Default:

24h

Safety limits

AUTHARA_RATE_LIMIT_MAX_ENTRIES

Maximum number of rate limit keys stored in memory.

Default:

This acts as a safety valve against memory exhaustion.

Multi-instance deployments

Rate limiting is currently in-memory per instance.

In multi-instance deployments, limits are not shared between instances.

Future versions may support shared rate limiting via Redis.

Rate Limiting

Login limits

AUTHARA_RATE_LIMIT_LOGIN_IP_LIMIT

AUTHARA_RATE_LIMIT_LOGIN_IP_WINDOW

AUTHARA_RATE_LIMIT_LOGIN_EMAIL_LIMIT

AUTHARA_RATE_LIMIT_LOGIN_EMAIL_WINDOW

Signup limits

AUTHARA_RATE_LIMIT_SIGNUP_IP_LIMIT

AUTHARA_RATE_LIMIT_SIGNUP_IP_WINDOW

AUTHARA_RATE_LIMIT_SIGNUP_EMAIL_LIMIT

AUTHARA_RATE_LIMIT_SIGNUP_EMAIL_WINDOW

Safety limits

AUTHARA_RATE_LIMIT_MAX_ENTRIES

Multi-instance deployments