> ## Documentation Index
> Fetch the complete documentation index at: https://docs.equa.cc/llms.txt
> Use this file to discover all available pages before exploring further.

# Rate Limiting

> Rate limiting policies and registration safeguards in the Equa API

> **Source:** `equa-server/modules/api/src/endpoints/auth-endpoints.ts` (registration IP limit), `equa-server/modules/agent/src/endpoints/agent-endpoints.ts` (agent guardrails)

# Rate Limiting

The Equa API does not currently implement a global rate-limiting middleware. However, there are built-in safeguards on specific operations to prevent abuse.

## Existing Safeguards

### Registration IP Limit

New account registrations are throttled by IP address.

| Variable                | Default | Description                                    |
| ----------------------- | ------- | ---------------------------------------------- |
| `REGISTRATION_IP_LIMIT` | 20      | Maximum registrations allowed from a single IP |

The registration endpoint (`POST /v1/user`) uses `request-ip` middleware to capture the client IP and enforce this limit.

### Email Verification Cooldown

Re-sending verification emails is throttled to prevent abuse.

| Variable                           | Default | Description                                                     |
| ---------------------------------- | ------- | --------------------------------------------------------------- |
| `EMAIL_VERIFICATION_LIMIT_SECONDS` | 1800    | Minimum seconds between verification email resends (30 minutes) |

## Recommendations for API Consumers

Even without server-side rate limiting, clients should implement reasonable request patterns:

* **Avoid polling loops** faster than once per second
* **Debounce** user-triggered searches and availability checks
* **Cache responses** where data does not change frequently (e.g., billing products, organization features)
* **Use exponential backoff** when retrying failed requests

## Future Rate Limiting

Rate limiting middleware is planned for future releases. When implemented, rate-limited responses will return:

```
HTTP 429 Too Many Requests
```

With headers:

```
Retry-After: <seconds>
X-RateLimit-Limit: <max-requests>
X-RateLimit-Remaining: <requests-remaining>
X-RateLimit-Reset: <unix-timestamp>
```

## Agent API Limits

The [Agent (Equanaut) endpoints](/api/endpoints/agent-endpoints) have their own built-in rate controls:

| Setting                           | Default | Description                           |
| --------------------------------- | ------- | ------------------------------------- |
| `AGENT_MAX_TOOL_CALLS_PER_MINUTE` | 30      | Maximum tool calls the agent can make |
| `AGENT_MAX_WRITE_OPS_PER_MINUTE`  | 10      | Maximum write operations per minute   |
| `AGENT_MAX_DESTRUCTIVE_PER_HOUR`  | 5       | Maximum destructive actions per hour  |
