Rate Limits

Rate limits protect the service from abuse and ensure fair use. Unauthenticated users have stricter limits on public endpoints; authenticated users (JWT or API key) get higher limits. If you exceed a limit, the API returns 429 Too Many Requests with a message and optional retry guidance.

Auth (login, register, forgot-password, etc.): 5 requests per 15 minutes per IP. Postbox submissions: 20 per hour per IP. Corrections: 30 per hour per IP. Comments: 60 per hour per IP. API key creation: 5 per hour per IP. Anonymous browsing: 300 general API requests per 15 minutes per IP, plus a separate 200-request cap on public feed/map-style endpoints (RATE_LIMIT_API_MAX / RATE_LIMIT_PUBLIC_MAX). When you are logged in or send an API key, the public cap is skipped and the general limit is doubled (default 600 per 15 minutes; RATE_LIMIT_AUTH_MULTIPLIER). Owner and admin accounts are not rate limited.

The site may show a message that you have been rate limited. Wait until the time window resets (e.g. try again later in the hour or after 15 minutes). For heavy use, use an API key so your requests count against the higher authenticated limit. Include the X-Request-ID response header when reporting issues to support.