Rate Limiting¶
The Rate Limiting system protects Swisper from abuse and controls LLM cost exposure through three independent limiters. Auth endpoint rate limiting uses Redis sliding windows to cap API requests per user and per IP. Token rate limiting uses PostgreSQL sliding windows to enforce per-user LLM token budgets with burst allowance. Login rate limiting uses Redis sliding windows to prevent brute-force authentication attempts. All three limiters fail open — if the storage backend is unavailable, requests are allowed through.
Key Components¶
| Component | Purpose |
|---|---|
| Endpoint Rate Limiter | Sliding window over Redis sorted sets: caps requests per user and per IP for authenticated endpoints |
| Auth Rate Limit Middleware | FastAPI middleware that applies endpoint rate limiting to all authenticated (Bearer token) requests |
| Token Rate Limiter | Sliding window over PostgreSQL: enforces per-user LLM token budgets with configurable burst allowance |
| Login Rate Limiter | Sliding window over Redis sorted sets: caps login attempts per email and per IP |
Documentation Sections¶
- Overview — What this module does, the three rate limiting layers, and their limits
- Architecture — System design, algorithms, storage backends, and configuration