Errors and Rate Limits

Error envelope, per-key rate limits, monthly quota gates, and overage signaling.

Public API rate limiting is centralized and Redis-backed.

Standard headers

Every limited public route returns:

X-RateLimit-Limit
X-RateLimit-Remaining
X-RateLimit-Reset
Retry-After on 429

Default policies

token exchange: 10/min
read routes: 120/min
write routes: 60/min
usage routes: 30/min

Error shape

Public API errors use the standard envelope:

{
  "success": false,
  "error": "Rate limit exceeded",
  "code": "RATE_LIMIT_EXCEEDED"
}

Operational behavior

auth and public API rate limiting are fail-closed
missing public API configuration should fail app startup, not produce request-time JWT errors
cross-tenant access returns 403 or 404 depending on the route policy

Webhooks

Subscribe to Shortnd events with signed, verifiable HMAC-SHA256 deliveries.

On this page

Standard headers Default policies Error shape Operational behavior