chore: raise API rate limit for shared-IP offices (300→3500/min)#313
Merged
Conversation
Raises the global @fastify/rate-limit cap from 300 to 3500 req/min and the /onramp/token per-route cap from 20 to 100 req/min. The limiter is still keyed by IP, so this is sized for the worst-case shared-egress scenario (a ~170-person office NAT'd behind one address) rather than individual abuse, which the new ceiling still catches. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR raises API rate limits to better support many users sharing a single NAT egress IP, reducing accidental 429s for shared-IP office environments.
Changes:
- Increases the global API rate limit from 300 to 3500 requests/minute.
- Increases
/onramp/tokenroute-specific rate limit from 20 to 100 requests/minute.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
CassioMG
approved these changes
May 18, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
@fastify/rate-limitcap from 300 → 3500 req/min (src/route/index.ts:125)/onramp/tokencap from 20 → 100 req/min (src/route/index.ts:1485)Rationale
The limiter is keyed by IP. That's fine for residential users, but breaks down for any office NAT'd behind a single egress address — every coworker shares one bucket.
We have a ~170-person office in that situation. At 300 req/min that's <2 req/user/min before the bucket is exhausted, which an active wallet session blows through immediately (balance fetch + price poll + tx simulation is easily 5-10 req/min per active user). The result is real users getting 429s the moment a handful of them open Freighter at the same time.
Sizing the new ceiling:
/onramp/token→ onramp initiation is rare per-user (you start one fiat purchase, not many), but 20/min across 170 people is one initiation every 8.5s, which is too tight for a shared IP. 100/min is still well under what a single abusive client could plausibly need.Trade-offs
keyGeneratorchange, deferred to a follow-up.Test plan
🤖 Generated with Claude Code