Rate Limits & Security
Connection limits
| Limit | Value | Scope |
|---|---|---|
| Per-IP concurrent connections | 20 | Single IP address |
| Per-IP connection rate | 10 / minute | Sliding window |
| Per-key concurrent connections | Configurable | Per API key |
If you exceed any of these limits, the server responds with HTTP 429 Too Many Requests during the handshake:
{
"error": "max_connections_reached",
"limit": 5,
"current": 5
}
Client message limits
| Limit | Value | Scope | Consequence |
|---|---|---|---|
| Message rate | 3 / minute | Per connection | Connection closed (rate_limit_exceeded) |
| Max frame size | 1 KB | Per frame | Connection closed (frame_too_large) |
| Test requests | 1 / minute | Per API key | Error response (test_rate_limited) |
The test request rate limit is shared across all connections using the same API key. Unlike the other limits, exceeding it does not disconnect you — you receive an error message with a retryAfterSecs field instead. See Message Reference — Test Announcement.
TLS
All connections use TLS encryption by default (WSS on port 9201).
The server may use a self-signed certificate. If so, you will need to disable certificate verification in your client. See Code Examples for how to do this in each language.
API key security
- Keys are hashed before storage – raw keys cannot be recovered from the database.
- Keys can be revoked instantly by an administrator, immediately disconnecting all active sessions.
- Keys can have expiration dates – expired keys are automatically rejected.