Rate limits

The anonymous tier is capped at 10 scans per 24-hour rolling window, keyed by a salted hash of your IP. Read endpoints (GET /scan/:id, GET /skill/:name) are unlimited.

Anonymous limit

Limit: 10 successful POST /scan calls per 24h
Key: SHA-256(IP + IP_HASH_SALT) — we never store the raw IP
Storage: Redis, with a sliding-window TTL
Scope: only POST /scan. All reads are unmetered.

429 Too Many Requests

HTTP/1.1 429 Too Many Requests
Retry-After: 43200
Content-Type: application/json

{
  "error": "rate_limited",
  "retryAfterSec": 43200
}

Retry-After header is in seconds, per RFC 9110.
retryAfterSec in the JSON body is the same value, for convenience.
The successful POST response also includes a remaining field so you can back off before hitting 429.

Why 10/24h? The free hosted tier is a demo, not infrastructure. If you need higher throughput in CI or local dev, run the CLI (coming soon) — it's local-only and unlimited.

Pro / Team / Enterprise

Pro ($19/user/mo) — 5,000 scans/month, no per-IP cap, API key auth
Team ($49/user/mo, planned) — 50,000/month pooled across the org
Enterprise (planned) — custom limits, optional dedicated worker pool, BYOK signing keys

Best practices

Check remaining after each POST; back off when it hits 0
Cache result pages — the SSR HTML is stable and indexable, no need to re-fetch the API from server-rendered consumers
For repeat scans of the same skill, use GET /skill/:name to pull the latest completed scan without consuming your budget