authepy.

Limits & Error Diagnostics

Network Telemetry

Rate Limits & Diagnostics

Authepy protects the delivery network from saturation by enforcing granular, multi-tenant sliding-window limits. Understanding these thresholds prevents accidental infrastructure lock-outs.


Token Bucket Thresholds

When Authepy returns an HTTP 429 Too Many Requests, the client has exceeded the established operational quotas. Our Edge Router utilizes a dynamic, multi-layered token bucket algorithm that balances high-velocity throughput for legitimate traffic against rigorous sanitization of anomalous request patterns.

Target-Specific Quota

Adaptive Constraint

Designed to mitigate targeted endpoint harassment. Authepy tracks dispatch attempts mapped to specific recipient identifiers. If activity thresholds are surpassed within the observation window, the API enforces a cool-down period to ensure system stability and prevent mailbox flooding.

Global Origin Velocity

Perimeter Shielding

Designed to mitigate dictionary attacks and botnet sweeps. We monitor aggregate request volume from specific source IP footprints. Persistent attempts to bypass these aggregate limits result in an automated transition to a restricted access state.

Diagnosing 403 Forbidden Bans

An HTTP 403 Forbidden indicates that the Active Defense WAF has identified a request as unauthorized or inherently malicious. While exact sensitivity parameters are obfuscated to prevent adversarial tuning, diagnostic failures typically fall into three buckets:

Diagnostic: Origin Validation Failure

When utilizing a Restricted Key, the Edge Router requires an explicit match between the request header and your configured domain list. Ensure your origin domain is registered exactly, without protocol prefixes (https://) or trailing path segments.

Diagnostic: Perimeter Security Ban

Repeated violations of our velocity policies have resulted in a temporary source footprint isolation. This security posture is enforced at the network edge to prevent resource exhaustion and automatically resets after a standard cooling period.

Diagnostic: Anomalous Transit

Our infrastructure actively filters known low-reputation proxies and ephemeral mail registries. Traffic routed through these compromised networks is discarded at the edge to protect sender metrics and workspace integrity.

Header Telemetry

Authepy attaches standard rate-limit telemetry to the HTTP response headers of every successful request. Modern frontend applications can programmatically read these headers to disable the "Send OTP" button in the UI before a 429 error occurs, providing a superior user experience.

X-RateLimit-Limit: 20 // Maximum requests (example) allowed in the window
X-RateLimit-Remaining: 19 // Requests remaining before 429 block
X-RateLimit-Reset: 1694285400 // Unix epoch timestamp when limits flush