Skip to main content

Overview

PassAgent enforces per-user and per-IP rate limits on all API endpoints. Rate limits prevent abuse, credential stuffing, and denial-of-service attacks.

Active rate limits

EndpointLimitWindowModeKey
Chat reset60 requests60 secondsFail-openchat:reset:{userId}
Password reveal20 requests60 secondsFail-closedreveal:{userId}
Password CRUD30 requests60 secondsFail-openpasswords:{action}:{userId}
Sync (pull)60 requests60 secondsFail-opensync:pull:{userId}
Sync (push)30 requests60 secondsFail-opensync:push:{userId}
Sharing20 requests60 secondsFail-opensharing:{userId}
Travel fortress60 requests3600 secondsFail-closedtravel:{userId}
Travel PIN forgot3 requests3600 secondsFail-closedtravel:forgot:{userId}
2FA enrollment3 requests60 secondsFail-closed2fa:enroll:{userId}
Session shares10 requests3600 secondsFail-opensession:{userId}
Identity generation10 requests60 secondsFail-openidentities:{userId}
DMS configuration10 requests60 secondsFail-closeddms:{userId}
Import5 requests300 secondsFail-closedimport:{userId}
Reset tasks5 requests300 secondsFail-closedreset:{userId}

Enforcement modes

If the rate limiter backend (Redis) is unavailable, requests are allowed through. Used for non-critical operations where availability is prioritized over strict enforcement.

Backend

  • Primary: Redis (Vercel KV) with sliding window counters
  • Fallback: In-memory counters per serverless instance (reset on cold start)
  • Key format: ratelimit:{action}:{identifier}

Error response

When a rate limit is exceeded: 
HTTP 429 Too Many Requests
Retry-After: 60

{
  "error": "Too many requests. Please try again later.",
  "error_code": "rate_limit_exceeded"
}
Rate limit events are logged to the audit trail with the action rate_limit and metadata including the endpoint and limit configuration.

Step-up authentication

Certain endpoints require step-up authentication in addition to rate limiting. Step-up auth verifies that the user has authenticated recently (within a configurable window):
EndpointStep-up window
Password sharing5 minutes
DMS configuration90 seconds
Session shares300 seconds
Password importRisk-adaptive
If step-up auth fails: 
{
  "error": "Re-authentication required",
  "code": "step_up_required"
}