Rate Limiting
The CPR backend uses Laravel's built-in rate limiting to prevent abuse.
Rate Limit Tiers
Configured in AppServiceProvider:
| Tier | Limit | Scope | Applied To |
|---|---|---|---|
api | 1,000 requests/minute | Per user or IP | All authenticated API routes |
authentication | 5 requests/minute | Per IP | Login, reset password |
public | 5 requests/minute | Per IP | Public endpoints (health check) |
Response Headers
Rate limit info is included in response headers:
http
X-RateLimit-Limit: 1000
X-RateLimit-Remaining: 995Rate Limit Exceeded
When the limit is exceeded, the API returns 429 Too Many Requests:
json
{
"message": "Too Many Attempts."
}The Retry-After header indicates when you can retry.
Configuration
Rate limits are defined in AppServiceProvider::configureRateLimiting():
php
RateLimiter::for('api', function (Request $request) {
return Limit::perMinute(1000)
->by($request->user()?->id ?: $request->ip());
});
RateLimiter::for('authentication', function (Request $request) {
return Limit::perMinute(5)->by($request->ip());
});
RateLimiter::for('public', function (Request $request) {
return Limit::perMinute(5)->by($request->ip());
});Best Practices
- Monitor
X-RateLimit-Remainingheaders proactively - Implement exponential backoff when receiving 429 responses
- Use the
Retry-Afterheader to know when to retry - For bulk operations, batch requests rather than sending many individual calls