Protect your APIs and simulate real-world usage limits
Every mock endpoint you create is reachable without authentication when its project is public — that's the point of a shareable mock API. Since there's no login to gate abuse on those calls, Mock API Builder applies a fixed rate limit to every request that hits the mock executor, per client IP address. This is a platform-level guard against denial-of-service, not a per-project setting you configure — there's no UI to change these numbers.
Both limiters use a fixed window: once your first request in a window arrives, a counter starts and resets after the window elapses (not a rolling/sliding average). The share-token limiter additionally tracks a short burst window so a quick spike doesn't immediately exhaust your per-minute budget, but sustained traffic above the base rate still gets limited.
The executor checks the counter for this IP (or token+IP) before doing any database work.
The request proceeds normally; response headers report how much of the window's quota remains.
The executor short-circuits with a 429 Too Many Requests response before touching the database.
When limited, clients receive a 429 Too Many Requests status with these headers and body:
Standard fetch implementation with retry logic: