Rate Limits

Rate limits protect the service from abuse and ensure fair use. Unauthenticated users have stricter limits on public endpoints; authenticated users (JWT or API key) get higher limits. If you exceed a limit, the API returns 429 Too Many Requests with a message and optional retry guidance.

Auth (login, register, forgot-password, etc.): 5 requests per 15 minutes per IP. Postbox submissions: 10 per hour per IP. Corrections: 30 per hour per IP. Comments: 60 per hour per IP. API key creation: 5 per hour per IP. General API (authenticated or with API key): 200 requests per 15 minutes per IP (configurable via RATE_LIMIT_API_MAX). Public endpoints (no JWT/API key): 100 requests per 15 minutes per IP (configurable via RATE_LIMIT_PUBLIC_MAX). When you are logged in or use an API key, public-style requests use the higher general API limit instead of the stricter public limit.

The site may show a message that you have been rate limited. Wait until the time window resets (e.g. try again later in the hour or after 15 minutes). For heavy use, use an API key so your requests count against the higher authenticated limit. Include the X-Request-ID response header when reporting issues to support.