// docs / quotas & limits
Quotas mo limits
Ko e quota mo e rate-limit value kotoa 'i lalo 'oku derived mei he entitlements module 'i build time, ko ia 'e 'ikai lava ke drift e page ni mei he me'a 'oku enforce mo'oni 'e he server.
Ngaahi entitlement 'i he tier takitaha
| Taʻetotongi | ʻAtāmai | Pro | Unlimited | |
|---|---|---|---|---|
| Scans / mahina | 3 | 50 | 200 | Palani Unlimited¹ |
| Projects (domains kuo verified) | 1 | 1 | 5 | 20 |
| Ngaahi API token | 0 | 1 | 5 | 20 |
| Owner-depth scans | 'ikai | 'io | 'io | 'io |
| Ngaahi GitHub repo scan | 'ikai | 'ikai | 'io | 'io |
| Ngaahi scheduled re-scan | 'ikai | 'ikai | ≥3h taimi-tatau | ≥1h taimi-tatau |
| Live threat detection mo'ui | 'ikai | 'ikai | 'ikai | 'io |
| Tauhi | 7 'aho | 30 'aho | 90 'aho | 365 'aho |
| Ngaahi team seat | 1 | 1 | 1 | 5 |
| Tokoni | angamaheni | angamaheni | fakamu'omu'a | tuku-tautaha |
¹ Ko e quota siva ʻo e palani Unlimited ʻoku ne maʻu ʻa e ngāue totonu — sio ki he Tuʻutuʻuni. ² Ko e fakangatangata defailta ko e domain ʻe 20 ʻi he active monitoring ʻi he ngāue ≥1h. Fetuʻutaki mo e support@fixweb.app ke fakatupulekina ʻi hono fetongi ʻaki ha ngāue lōloa ange.
Ngaahi API rate limit
Every /api/v1/* and /api/mcp request is keyed on a hash of the bearer token and runs through two windows:
- Burst: 10 requests 'i he sekoni.
- Steady: 60 requests 'i he miniti.
On 429, the response includes:
HTTP/1.1 429 Too Many Requests
content-type: application/json
retry-after: 47
x-ratelimit-limit: 60
x-ratelimit-remaining: 0
x-ratelimit-reset: 1715116200
{
"error": "rate_limited",
"message": "Token rate limit exceeded — steady (60/min). Retry in 47s.",
"retry_after_seconds": 47
}The window which tripped is named in the message (burst (10/s) vs steady (60/min)) so a client backoff can adapt.
Fakangatangata vave siva palani Free (ʻi he IP/24)
ʻO tānaki atu ki he fakangatangata fakamāhina ʻo e siva ʻe 3 ʻi he kautaha, ʻoku fehangahangai ʻa e kau fakaʻaongaʻi palani Free mo ha fakangatangata vave makehe ʻi he IP/24: 3 siva ʻi he houa, 100 ʻi he ʻaho. Ko e limiter tatau ʻoku ne pulusi ʻa e ngaahi siva fakavavevave taʻehingoa, ʻe taʻofi ai ʻa e fakaʻaongaʻi ʻo e quota Free ʻi he ngaahi fakamatala ngāue tuʻo taha. Ko e ngaahi kole ʻoku laka atu ʻi ha fakangatangata ʻoku nau fakafoki mai ʻa e HTTP 429 Too Many Requests mo e header Retry-After.
Signup throttle (ki he IP/24 takitaha)
5 lesitalá ngāue lelei ʻi he IP/24 ʻi he 24 houa, ke taʻofi ʻa e fakatupulaki ʻo e ngaahi fakamatala palani Free fakaautometí. Ko e callbacks fakangatangata ʻoku nau toe fakafoki ki he /sign-in?error=rate_limited.
Tauhi
Scans + findings auto-purge per the table above. Anonymous one-shot scans expire 24h after creation. Audit logs retain for 18 months. Monitor snapshots prune to last 7 days plus the latest baseline per (domain, signal). Dismissed alerts purge after 90 days. All retention enforced daily by /api/cron/retention-cleanup.