rate_limit: Additionally limit to 2000 authenticated requests per hour.

2025-11-03 13:33:24 +00:00 · 2025-10-24 19:04:14 +00:00
parent 421ba8afcf
commit 5c2b0d91d5
2 changed files with 4 additions and 1 deletions
--- a/api_docs/http-headers.md
+++ b/api_docs/http-headers.md
@@ -70,7 +70,8 @@ HTTP headers in all API responses:
 and can vary by server and over time. The default configuration
 currently limits:

-* Every user is limited to 200 total API requests per minute.
+* Every user is limited to 200 total API requests per minute, and 2000
+  total API requests per hour.
 * Separate, much lower limits for authentication/login attempts.

 When the Zulip server has configured multiple rate limits that apply
--- a/zproject/default_settings.py
+++ b/zproject/default_settings.py
@@ -266,6 +266,8 @@ DEFAULT_RATE_LIMITING_RULES = {
    "api_by_user": [
        # 200 requests per minute
        (60, 200),
+        # 2000 requests per hour
+        (3600, 2000),
    ],
    # Limits total number of unauthenticated API requests (primarily
    # used by the public access option). Since these are