2026

Rate limiting is a traffic control mechanism that restricts the number of API requests a client can make within a defined time window. It protects backend services from overload, ensures fair resource allocation across users, and mitigates abuse. FieldMCP implements multiple rate limiting layers, each targeting a different threat vector.

FieldMCP's Rate Limiting Architecture

FieldMCP uses three complementary rate limiting strategies:

Authentication Failure Limiting

IP-based rate limiting that tracks failed authentication attempts. After 25 failures within a 900-second (15-minute) window, the IP is temporarily blocked. This prevents credential stuffing and brute-force attacks against the OAuth 2.1 endpoints.

State is stored in the cache.rate_limits PostgreSQL table and cleaned by a pg_cron job every 5 minutes.

Per-Minute Request Limiting

A per-developer counter maintained in memory within the DeveloperState Durable Object. Limits vary by subscription tier:

Tier	Requests/minute
Free	60
Developer	100
Startup	500
Enterprise	1,000

Because this counter lives in the Durable Object's memory, it resets when the Worker restarts. This is intentional — per-minute limits are a burst protection mechanism, not a billing control.

Monthly Usage Limiting

An atomic counter that tracks total requests per developer per calendar month. Implemented via a PostgreSQL RPC function with row-level locking to prevent race conditions. The Durable Object batches flushes (every 30 seconds or 10 requests) to reduce database writes while maintaining accuracy.

Handling Rate Limit Responses

When a rate limit is hit, FieldMCP returns HTTP 429 with a Retry-After header indicating how many seconds to wait. Well-behaved clients should:

1. Respect the Retry-After value
2. Implement exponential backoff for repeated 429s
3. Monitor their usage against limits proactively via the dashboard

Further Reading

• API gateway architecture
• Dashboard usage monitoring