Rate Limits
Policy
Section titled “Policy”Korta applies per-endpoint rate limiting by client IP.
Default windows and limits:
- Public shorten: 100/hour
- Redirects: 300/5 minutes
- Login: 10/15 minutes
- Register: 5/15 minutes
- Forgot password: 5/15 minutes
- Reset password: 10/15 minutes
- API key regenerate: 5/15 minutes
Limits by endpoint
Section titled “Limits by endpoint”| Endpoint | Limit | Window |
|---|---|---|
POST /api/v1/urls/public | 100 requests | 60 minutes |
GET /:shortId and GET /api/v1/urls/redirect/:shortId | 300 requests | 5 minutes |
POST /api/v1/auth/login | 10 requests | 15 minutes |
POST /api/v1/auth/register | 5 requests | 15 minutes |
POST /api/v1/auth/forgot-password | 5 requests | 15 minutes |
POST /api/v1/auth/reset-password | 10 requests | 15 minutes |
POST /api/v1/auth/api-key/regenerate | 5 requests | 15 minutes |
Headers
Section titled “Headers”The API uses standard rate limit headers (standardHeaders: true), with legacy headers disabled.
| Header | Description |
|---|---|
RateLimit-Limit | Maximum requests allowed in the current window. |
RateLimit-Remaining | Requests remaining in the current window. |
RateLimit-Reset | Seconds until the current rate-limit window resets. |
Exceeded limit behavior
Section titled “Exceeded limit behavior”When a limiter is exceeded, the API responds with:
- HTTP
429 Too Many Requests - Error body:
{ "statusCode": 429, "error": "Too Many Requests", "message": "Too many login attempts. Please try again later."}The message is endpoint-specific.