From 863d20aada522ed92424c8aff19b4439ecd948f0 Mon Sep 17 00:00:00 2001 From: devlikeapro <155617407+devlikepro@users.noreply.github.com> Date: Fri, 31 Oct 2025 11:25:54 +0700 Subject: [PATCH 1/2] Fix typo in rate limiting requests per second --- self-hosted/monitoring/rate-limiting.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/self-hosted/monitoring/rate-limiting.mdx b/self-hosted/monitoring/rate-limiting.mdx index 779a836e..f9bba254 100644 --- a/self-hosted/monitoring/rate-limiting.mdx +++ b/self-hosted/monitoring/rate-limiting.mdx @@ -9,7 +9,7 @@ You could customize the configuration to suit your needs by updating, [`config/i ## Default Rate Limits -- Chatwoot will throttles requests by IP at `60rpm`, Unless the request is from an allowed IP `['127.0.0.1', '::1']` +- Chatwoot will throttles requests by IP at `60rps`, Unless the request is from an allowed IP `['127.0.0.1', '::1']` - Signup Requests are limited by IP at `5 requests` per `5 minutes`. - SignIn Requests are limited by IP at `5 requests` per `20 seconds`. - SignIn Requests are limited by email address at `20 requests` per `5 minutes` for a specific email. From 95eaa099af42e428f71ac3b1a6ed21fe82f39d5a Mon Sep 17 00:00:00 2001 From: Sojan Jose Date: Thu, 28 May 2026 18:30:11 +0530 Subject: [PATCH 2/2] docs: correct Rack Attack rate limits --- self-hosted/monitoring/rate-limiting.mdx | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/self-hosted/monitoring/rate-limiting.mdx b/self-hosted/monitoring/rate-limiting.mdx index f9bba254..1fe099ff 100644 --- a/self-hosted/monitoring/rate-limiting.mdx +++ b/self-hosted/monitoring/rate-limiting.mdx @@ -9,12 +9,20 @@ You could customize the configuration to suit your needs by updating, [`config/i ## Default Rate Limits -- Chatwoot will throttles requests by IP at `60rps`, Unless the request is from an allowed IP `['127.0.0.1', '::1']` +- Chatwoot throttles requests by IP at `3000 requests` per `1 minute`, unless the request is from an allowed IP such as `127.0.0.1` or `::1`. - Signup Requests are limited by IP at `5 requests` per `5 minutes`. - SignIn Requests are limited by IP at `5 requests` per `20 seconds`. - SignIn Requests are limited by email address at `20 requests` per `5 minutes` for a specific email. - Reset Password Requests are limited at `5 requests` per `1 hour` for a specific email. +## Widget API Rate Limits + +When `ENABLE_RACK_ATTACK_WIDGET_API` is enabled, Chatwoot also applies the following widget API limits by IP: + +- Widget conversation creation is limited to `6 requests` per `12 hours`. +- Widget contact updates are limited to `60 requests` per `1 hour`. +- New widget sessions without an existing conversation token are limited to `5 requests` per `1 hour`. + ## Attachment Restrictions - `Contact/Inbox Avatar` attachment file types are limited to jpeg, gif and png.