// docs / quotas & limits
Quotas mo limits
Ko e quota mo e rate-limit value kotoa 'i lalo 'oku derived mei he entitlements module 'i build time, ko ia 'e 'ikai lava ke drift e page ni mei he me'a 'oku enforce mo'oni 'e he server.
Ngaahi entitlement 'i he tier takitaha
| Taʻetotongi | ʻAtāmai | Pro | Unlimited | |
|---|---|---|---|---|
| Scans / mahina | 3 | 50 | 200 | Palani Unlimited¹ |
| Projects (domains kuo verified) | 1 | 1 | 5 | 20 |
| Ngaahi API token | 0 | 1 | 5 | 20 |
| Webhook endpoints | 0 | 1 | 5 | 20 |
| Ngaahi active probe | 'ikai | 'io | 'io | 'io |
| Ngaahi GitHub repo scan | 'ikai | 'ikai | 'io | 'io |
| Ngaahi scheduled re-scan | 'ikai | 'ikai | ≥3h taimi-tatau | ≥6h cadence |
| Live threat detection mo'ui | 'ikai | 'ikai | 'ikai | 'io |
| Sharable reports | 'ikai | 'ikai | 'io | 'io |
| Tauhi | 7 'aho | 30 'aho | 90 'aho | 365 'aho |
| Ngaahi team seat | 1 | 1 | 1 | 5 |
| Tokoni | angamaheni | angamaheni | fakamu'omu'a | tuku-tautaha |
¹ The Unlimited plan's scan quota is subject to fair use — see Terms. ² The project cap defaults to 20 active-monitoring domains at ≥6h cadence. Contact support@fixvibe.app to raise it in exchange for a longer scheduled cadence.
Ngaahi API rate limit
Every /api/v1/* and /api/mcp request is keyed on a hash of the bearer token and runs through two windows:
- Burst: 10 requests 'i he sekoni.
- Steady: 60 requests 'i he miniti.
- Per signed-in user: 30 scan submissions per 10 minutes — a soft cap above the per-plan monthly quota that absorbs bursts without exhausting the daily budget.
On 429, the response includes:
HTTP/1.1 429 Too Many Requests
content-type: application/json
retry-after: 47
x-ratelimit-limit: 60
x-ratelimit-remaining: 0
x-ratelimit-reset: 1715116200
{
"error": "rate_limited",
"message": "Token rate limit exceeded — steady (60/min). Retry in 47s.",
"retry_after_seconds": 47
}The window which tripped is named in the message (burst (10/s) vs steady (60/min)) so a client backoff can adapt.
Fakangatangata vave siva palani Free (ʻi he IP/24)
On top of the per-org 3-scans-per-month cap, Free plan users face an additional per-IP/24 rate limit: 3 scans per rolling 24 hours per IP /24 block. The same limiter covers anonymous instant scans, which prevents farming Free quota through throwaway accounts on one IP. Requests exceeding the limit return HTTP 429 Too Many Requests with a Retry-After header.
Signup throttle (ki he IP/24 takitaha)
5 lesitalá ngāue lelei ʻi he IP/24 ʻi he 24 houa, ke taʻofi ʻa e fakatupulaki ʻo e ngaahi fakamatala palani Free fakaautometí. Ko e callbacks fakangatangata ʻoku nau toe fakafoki ki he /sign-in?error=rate_limited.
Tauhi
Scans + findings auto-purge per the table above. Anonymous one-shot scans expire 24h after creation. Audit logs retain for 18 months. Monitor snapshots prune to last 7 days plus the latest baseline per (domain, signal). Dismissed alerts purge after 90 days. All retention enforced daily by /api/cron/retention-cleanup.