Limits Reference
All limits are extracted from the service config.go files and
project_context_map.md §13. Environment variable names are the
override mechanism — see
Configuration Reference.
Default values apply when the environment variable is absent.
Gateway
| Limit | Description |
|---|---|
| Rate limit — sustained RPS | Local token-bucket, per IP. Default: 10 000 req/s Env: RATE_LIMIT_RPS |
| Rate limit — burst | Instantaneous headroom above RPS. Default: 20 000 req/s Env: RATE_LIMIT_BURST |
| Rate limit — window | Sliding window for Valkey-backed cap. Default: 60 s Env: RATE_LIMIT_WINDOW |
| Rate limit — global cap | Valkey sliding window hard cap. Default: 1 000 000 req/window Env: RATE_LIMIT_MAX_REQUESTS |
| Circuit breaker — failure threshold | Implemented per upstream service. Default: 5 errors / 30 s |
| Circuit breaker — open timeout | After open, one probe request. Default: 60 s |
| DB pool — max open connections | Per service instance. Default: 25 Env: DB_MAX_OPEN_CONNS |
| DB pool — max idle connections | Per service instance. Default: 5 Env: DB_MAX_IDLE_CONNS |
| DB pool — conn max lifetime | Prevents stale connections. Default: 5 min Env: DB_CONN_MAX_LIFETIME |
| DB pool — conn max idle time | Evicts idle connections. Default: 1 min Env: DB_CONN_MAX_IDLE_TIME |
IAM Service
| Limit | Description |
|---|---|
| JWT access token TTL | ES256 signed. Default: 15 min Env: JWT_ACCESS_TOKEN_TTL |
| JWT refresh token TTL | Stored in Valkey. Default: 7 days Env: JWT_REFRESH_TOKEN_TTL |
| JWT rotation grace period | Dual-key overlap during rotation. Default: 24 h |
| JWT rotation interval | Via Vault. Default: 90 days |
| Delegation token TTL | B2B2B parent-on-behalf-of-child. Default: 3 600 s (1 h) Env: DELEGATION_TOKEN_TTL |
| Password min length | NIST 800-63B. Default: 12 chars |
| TOTP recovery codes | One-time-use, bcrypt-hashed. Default: 10 codes |
| Invite expiry | Constant-time response (anti-enum). Default: 72 h |
| OAuth callback timeout | State parameter TTL. Default: 10 min |
| Idempotency key window | Dedup via Valkey. Default: 24 h |
Data Layer
| Limit | Description |
|---|---|
| Max record size | Entire JSON document. Default: 1 MB Env: DATA_MAX_RECORD_SIZE_BYTES |
| Max JSONB field | Per JSONB column. Default: 256 KB Env: DATA_MAX_JSONB_SIZE_BYTES |
| Max tables per module | At manifest validation. Default: 50 Env: DATA_MAX_TABLES_PER_MODULE |
| Max relation depth | ?select=field,relation(field). Default: 2 levels |
| Max filters per query | URL query parameters. Default: 10 |
| Max rows per page | limit query parameter. Default: 100 |
| CDC pipeline latency | PostgreSQL → Kafka → ClickHouse. Default: < 5 s |
Event Bus
| Limit | Description |
|---|---|
| Kafka event retention | Domain events. Default: 168 h (7 days) Env: KAFKA_RETENTION_HOURS |
| Kafka audit event retention | platform.audit.events. Default: 720 h (30 days) Env: KAFKA_AUDIT_RETENTION_HOURS |
| Kafka max delivery attempts | After exhaustion → DLQ. Default: Configurable Env: KAFKA_MAX_ATTEMPTS |
| Kafka topics | platform.{auth,module,money,files,notify,audit,billing,data}.events. Default: 8 |
| Partition key | UUID v7 (time-sortable). Default: entityId |
Notification Service
| Limit | Description |
|---|---|
| Rate limit — per tenant | Hard cap, returns 429. Default: 100/min Env: NOTIFY_RATE_LIMIT_PER_TENANT |
| Rate limit — per module | Sub-cap within tenant limit. Default: 50/min |
| Batch send — max items | POST /api/v1/notifications/batch. Default: 500 |
| Retry attempts | Before moving to DLQ. Default: 5 |
| Retry backoff — initial delay | Exponential, ±10% jitter. Default: 30 s |
| Retry backoff — max delay | Cap on exponential growth. Default: 480 s (8 min) |
| WebSocket — max connections | Per tenant. Default: 1 000 Env: NOTIFY_WS_MAX_CONNECTIONS_PER_TENANT |
| WebSocket — max message rate | Per tenant. Default: 200 msg/s |
| WebSocket — heartbeat interval | Ping/pong. Default: 30 s |
| WebSocket — heartbeat timeout | Connection drop on miss. Default: 10 s |
| WebSocket — reconnect backoff max | Exponential + jitter. Default: 30 s |
| Replay buffer size | Per channel, Valkey-backed. Default: 100 messages Env: WS_REPLAY_BUFFER_SIZE |
| Replay buffer TTL | Messages expire after this. Default: 3 600 s (1 h) Env: WS_REPLAY_BUFFER_TTL_SEC |
| Notification history retention | PostgreSQL. Default: 90 days Env: NOTIFY_HISTORY_RETENTION_DAYS |
File Storage
| Limit | Description |
|---|---|
| Max image size | ClamAV scanned before move. Default: 10 MB Env: FILES_MAX_IMAGE_SIZE_MB |
| Staging bucket TTL | Files not moved stay in staging. Default: 24 h Env: FILES_STAGING_TTL_HOURS |
| Max pending uploads per tenant | Simultaneous in-progress uploads. Default: 100 |
| Soft-delete retention | Recoverable via restore. Default: 30 days Env: FILES_SOFT_DELETE_RETENTION_DAYS |
| Orphan scan interval | Background cleanup worker. Default: 24 h Env: FILES_ORPHAN_SCAN_INTERVAL_HOURS |
| Presigned URL TTL (upload) | Default varies by deployment. Default: Configurable Env: FILES_PRESIGN_TTL |
| Thumbnail presets | icon_32, avatar_64, card_300, preview_600, full_1200. Default: 5 |
Money Service
| Limit | Description |
|---|---|
| Max transaction amount | 10 000 000 cents, BIGINT. Default: $100 000 |
| Max wallet balance | 100 000 000 cents, plan-enforced. Default: $1 000 000 |
| Min transaction amount | 1 cent. Default: $0.01 |
| Hold default TTL | Auto-expires, released back. Default: 72 h Env: MONEY_HOLD_TTL_HOURS |
| Hold max TTL | Hard cap, enforced at service. Default: 7 days |
| Max concurrent holds per wallet | Returns 422 beyond cap. Default: 100 Env: MONEY_MAX_HOLDS_PER_WALLET |
| Reversal window | After original transaction. Default: 365 days Env: MONEY_REVERSAL_MAX_AGE_DAYS |
| Hold cleanup interval | Background worker ticker. Default: 60 s Env: MONEY_HOLD_CLEANUP_INTERVAL_SEC |
| Idempotency key required | All write operations. Default: Yes (mandatory) |
Audit Log Service
| Limit | Description |
|---|---|
| Hot storage retention | ClickHouse ReplacingMergeTree. Default: 90 days Env: AUDIT_HOT_DAYS |
| Cold storage retention | S3 Glacier. Default: 7 years Env: AUDIT_COLD_YEARS |
| WAL fallback retention | PostgreSQL audit_wal replay buffer. Default: 7 days |
| Batch write max items | POST /api/v1/audit/batch. Default: Unlimited |
Billing Service
| Limit | Description |
|---|---|
| Grace period | Full access retained. Default: 7 days after due |
| Suspension period | Read-only access. Default: Days 8–37 after due |
| Termination | Soft-delete, 90-day data retention. Default: Day 38+ |
| Cache TTL (billing plan) | Gateway Valkey cache. Default: 15 min Env: BILLING_CACHE_TTL |
| GDPR crypto-wipe delay | After deletion request. Default: 30 days Env: BILLING_CRYPTO_WIPE_PERIOD_DAYS |
Integration Hub
| Limit | Description |
|---|---|
| Rate limit — outgoing per provider | Token bucket. Default: 100 req/s Env: INTEGRATION_RATE_LIMIT_PER_SEC |
| Max retry attempts | Exponential backoff before DLQ. Default: 5 |
| Circuit breaker — failure threshold | sony/gobreaker. Default: 5 errors / 30 s |
| Circuit breaker — open timeout | HALF_OPEN probe after timeout. Default: 60 s |
Domain Resolver
| Limit | Description |
|---|---|
| Max custom domains per tenant | Returns 422 beyond cap. Default: 5 Env: DOMAINS_MAX_PER_TENANT |
| DNS verification TTL | Verification link expiry. Default: 72 h Env: DOMAINS_VERIFY_TTL_HOURS |
| SSL renewal window | Let's Encrypt ACME auto-renew. Default: 30 days before expiry Env: DOMAINS_SSL_RENEW_DAYS_BEFORE |
Feature Flags
| Limit | Description |
|---|---|
| Max flags per tenant | 0 = no cap. Default: 0 (unlimited) Env: FLAGS_MAX_PER_TENANT |
| SDK in-memory cache TTL | Refresh interval via polling. Default: 15 s |
| Default when service down | Safe fail-off. Default: false |
Infrastructure
| Resource | Description |
|---|---|
| Kafka max message size | Default Kafka message.max.bytes. Limit: 1 MB |
| PostgreSQL max connections | DB_MAX_OPEN_CONNS × instances. Limit: 100 per service (pool) |
| Valkey key TTL (session cache) | Mirrors JWT exp claim. Limit: Per-token TTL |
| S3 max object size | SeaweedFS / AWS S3 native limit. Limit: 5 TB |
| ClickHouse insert batch | Recommended: ≥ 1 000 rows/batch. Limit: Configurable |
See Also
- FAQ — common questions about limits
- Configuration Reference — full environment variable reference with defaults
- Error Catalog — error codes returned when limits are exceeded