Minctrl Docs
Reference

Rate limits

The endpoints that carry a rate limit, their exact per-IP limits, and what a 429 looks like.

Rate limiting is applied per client IP on a small set of sensitive endpoints — the auth flows and the LLM-cost-bearing workflow start. Every other endpoint is currently unlimited (there is no global default limit). When a limit is exceeded the API returns 429 Too Many Requests.

The limits

EndpointMethodLimit (per IP)Why
/auth/registerPOST60 / minuteSign-up abuse protection.
/auth/loginPOST5 / minuteCredential-stuffing protection.
/auth/otp/requestPOST5 / minuteThrottle one-time-code emails.
/auth/otp/verifyPOST10 / minuteLimit code-guessing attempts.
/workflows/startPOST10 / minuteCap LLM cost — each workflow ≈ $0.07+.

/auth/otp/request additionally enforces a per-email throttle: it won't issue a second code while one issued in the last 60 seconds is still pending. /auth/otp/verify also caps attempts per code (5) independent of the IP limit.

The 429 response

A rate-limited request returns 429 with a detail describing the exceeded limit, for example:

{ "detail": "Rate limit exceeded: 5 per 1 minute" }

Limits are keyed by remote IP address. Behind a proxy or load balancer, make sure the real client IP is forwarded so the limiter counts per caller rather than per gateway.

These are the only endpoints with an enforced limit today. Treat any others as best-effort and don't hammer them — the set above can change as more endpoints are hardened.

On this page