Rate Limits
Current Limits
Section titled “Current Limits”EmBoux currently does not enforce rate limiting at the API level. The API is designed for infrastructure provisioning, not high-frequency access patterns.
Typical usage patterns:
| Operation | Expected Frequency |
|---|---|
| Create domain | Once per customer onboarding |
| Create mailbox | A few per domain setup |
| Create alias | A few per mailbox |
| Quota updates | On plan change |
| Suspend/activate | On payment events |
Recommendations
Section titled “Recommendations”Even without enforced rate limits, follow these best practices:
- Don’t poll — Use webhooks or Odoo crons for sync, not polling loops
- Batch where possible — If creating multiple resources, do them sequentially without artificial delays
- Set reasonable timeouts — We recommend 10-15 seconds per request
- Handle errors gracefully — Retry
500errors with exponential backoff (1s, 2s, 4s)
Future Rate Limits
Section titled “Future Rate Limits”When rate limiting is introduced, it will follow standard HTTP conventions:
429 Too Many Requestsstatus codeRetry-Afterheader with seconds to wait- Per-key limits based on plan tier
We’ll announce changes with at least 30 days notice.
WAF Protection
Section titled “WAF Protection”The API sits behind a Web Application Firewall. To avoid being blocked:
- Set a proper
User-Agentheader (e.g.,MyApp/1.0orOdoo/19.0 (EmBoux Core Sync)) - Don’t send malformed or extremely large payloads
- Don’t make requests from known-bad IP ranges