Smart Rate Limiting

Intelligent rate limiting that adapts to user risk level instead of blunt IP-based limits.

Traditional rate limiting applies the same limits to every user. VerifyStack's smart rate limiting adjusts limits based on the user's trust level — trusted users get higher limits, while suspicious users are throttled more aggressively.

How It Works

Risk Level	Rate Limit	Example
Trusted (score 0-15)	200 req/min	Known user, known device, good history
Normal (score 16-40)	100 req/min	Default for most users
Elevated (score 41-70)	30 req/min	New device, unusual location
High Risk (score 71+)	5 req/min	Suspicious signals, potential bot

Implementation

Adaptive rate limitingjavascript

async function handleRequest(req, res) {
  const decision = await vs.decide({
    action: req.path,
    userId: req.user?.id,
  });

  // Adaptive rate limit based on risk score
  const limit = decision.score <= 15 ? 200
    : decision.score <= 40 ? 100
    : decision.score <= 70 ? 30
    : 5;

  res.setHeader('X-RateLimit-Limit', limit);
  res.setHeader('X-RateLimit-Remaining', limit - currentCount);

  if (currentCount > limit) {
    return res.status(429).json({ error: 'Rate limited' });
  }

  // Process request normally
  processRequest(req, res);
}

Built-in Rate Limiting

VerifyStack's API endpoints include built-in atomic rate limiting using distributed KV counters. These are applied automatically:

Endpoint	Default Limit	Window
/api/v1/decide	100/min	Per API key
/api/v1/analyze	30/60s	Per IP
/api/v1/cases	120/min	Per API key
/api/v1/feedback	50/hour	Per API key
/api/v1/status	300/min	Per IP

Enterprise plans support custom rate limits per endpoint. Contact us for details.

Bot Detection Custom Signals

Docs Index

Risk Level

Rate Limit

Example

Trusted (score 0-15)

200 req/min

Known user, known device, good history

Normal (score 16-40)

100 req/min

Default for most users

Elevated (score 41-70)

30 req/min

New device, unusual location

High Risk (score 71+)

5 req/min

Suspicious signals, potential bot

Implementation

Adaptive rate limitingjavascript

async function handleRequest(req, res) {
  const decision = await vs.decide({
    action: req.path,
    userId: req.user?.id,
  });

  // Adaptive rate limit based on risk score
  const limit = decision.score <= 15 ? 200
    : decision.score <= 40 ? 100
    : decision.score <= 70 ? 30
    : 5;

  res.setHeader('X-RateLimit-Limit', limit);
  res.setHeader('X-RateLimit-Remaining', limit - currentCount);

  if (currentCount > limit) {
    return res.status(429).json({ error: 'Rate limited' });
  }

  // Process request normally
  processRequest(req, res);
}

Built-in Rate Limiting

VerifyStack's API endpoints include built-in atomic rate limiting using distributed KV counters. These are applied automatically:

Endpoint	Default Limit	Window
/api/v1/decide	100/min	Per API key
/api/v1/analyze	30/60s	Per IP
/api/v1/cases	120/min	Per API key
/api/v1/feedback	50/hour	Per API key
/api/v1/status	300/min	Per IP

Enterprise plans support custom rate limits per endpoint. Contact us for details.