Boostack
Back to Documentation
Advanced5 min read

Rate Limits & Security

How we keep our platform stable and secure.

To ensure stability for all users and prevent abuse, we enforce rate limits across our platform.

Public API Limits (High Volume)

  • Event Ingestion (/api/public/events): 100 requests per minute per IP.
  • Form Loading (/api/public/forms): 100 requests per minute per IP.

Security Infrastructure

Boostack is built with multiple layers of hardening to protect your data:

  • Cryptographic Keys: All API keys and secrets are generated using cryptographically secure random values (CSPRG).
  • Session Verification: Real-time session verification and Role-Based Access Control (RBAC) on all administrative routes.
  • Error Masking: Production API responses mask internal error details to prevent information disclosure.
  • Domain Locking: Every project is locked to authorized domains to prevent unauthorized usage of your forms and widgets.

If you exceed a limit, the API will return a 429 Too Many Requests status code.

{
  "error": "Too many requests. Please try again later."
}

We recommend implementing exponential backoff in your custom integrations to handle these errors gracefully.

Was this article helpful?

Your feedback helps us improve our guides.

Updated April 2026 • © Boostack Documentation