Rate Limits

Rate Limits

The auth brute-force rate limits on a self-hosted DeviceSDK server

DeviceSDK is self-hosted: you run the server, so there are no plan tiers, no per-message quotas, and no usage billing. The only rate limiting the server applies is brute-force protection on authentication endpoints, to slow password and token-guessing attacks.

Everything else - how many devices you connect, how many messages they send, how often your scripts run - is bounded only by the hardware you run the server on.

Authentication rate limits

The server keeps an in-memory, per-IP, fixed-window limiter on the auth routes. Requests that exceed the window receive an HTTP 429 Too Many Requests response.

Endpoint Limit
Register (/v1/auth/register) 10 per minute
Login (/v1/auth/login) 20 per minute
CLI start auth (/v1/cli/auth/start) 10 per minute
CLI poll auth (/v1/cli/auth/poll) 60 per minute
CLI refresh token (/v1/cli/auth/refresh) 10 per minute

The limiter is keyed by client IP and request path. Behind a reverse proxy, the server reads the standard X-Forwarded-For / X-Real-IP headers to identify the real client - make sure your proxy sets them.

Handling 429 responses

When you hit an auth limit, the response includes a Retry-After header indicating how many seconds to wait before retrying:

HTTP/1.1 429 Too Many Requests
Retry-After: 12
Content-Type: application/json

{
  "success": false,
  "error": "Rate limit exceeded. Try again shortly."
}

Wait for the duration in Retry-After before sending another request.

Deployment limits

Script deployments have one hard constraint:

  • Maximum script size: 1 MB per version

These are not rate limits - there's no cap on how frequently you deploy to your own server.