// docs / quotas & limits
Quotas & limits
Every quota and rate-limit value below is derived from the entitlements module at build time, so this page can never drift from what the server actually enforces.
Per-tier entitlements
| Free | Hobby | Pro | Unlimited | |
|---|---|---|---|---|
| Scans / month | 3 | 50 | 200 | Unlimited planΒΉ |
| Projects (verified domains) | 1 | 1 | 5 | 20 |
| API tokens | 0 | 1 | 5 | 20 |
| Owner-depth scans | no | yes | yes | yes |
| GitHub repo scans | no | no | yes | yes |
| Scheduled re-scans | no | no | β₯3h cadence | β₯1h cadence |
| Live threat detection | no | no | no | yes |
| Retention | 7 days | 30 days | 90 days | 365 days |
| Team seats | 1 | 1 | 1 | 5 |
| Support | standard | standard | priority | dedicated |
ΒΉ The Unlimited plan's scan quota is subject to fair use β see Terms. Β² The project cap defaults to 20 active-monitoring domains at β₯1h cadence. Contact support@fixweb.app to raise it in exchange for a longer scheduled cadence.
API rate limits
Every /api/v1/* and /api/mcp request is keyed on a hash of the bearer token and runs through two windows:
- Burst: 10 requests per second.
- Steady: 60 requests per minute.
On 429, the response includes:
HTTP/1.1 429 Too Many Requests
content-type: application/json
retry-after: 47
x-ratelimit-limit: 60
x-ratelimit-remaining: 0
x-ratelimit-reset: 1715116200
{
"error": "rate_limited",
"message": "Token rate limit exceeded β steady (60/min). Retry in 47s.",
"retry_after_seconds": 47
}The window which tripped is named in the message (burst (10/s) vs steady (60/min)) so a client backoff can adapt.
Free plan scan rate limit (per IP/24)
On top of the per-org 3-scans-per-month cap, Free plan users face an additional per-IP/24 rate limit: 3 scans per hour, 100 per day. The same limiter covers anonymous instant scans, which prevents farming Free quota through throwaway accounts. Requests exceeding either limit return HTTP 429 Too Many Requests with a Retry-After header.
Signup throttle (per IP/24)
5 successful sign-ups per IP/24 per 24 hours, to prevent automated Free plan account creation. Rate-limited callbacks redirect to /sign-in?error=rate_limited.
Retention
Scans + findings auto-purge per the table above. Anonymous one-shot scans expire 24h after creation. Audit logs retain for 18 months. Monitor snapshots prune to last 7 days plus the latest baseline per (domain, signal). Dismissed alerts purge after 90 days. All retention enforced daily by /api/cron/retention-cleanup.