Unprotected form endpoints are a reliable target for abuse: automated floods, credential stuffing setup, and resource exhaustion attacks. Formtorch now enforces rate limits at four independent layers on every submission.

The four layers

Layer	Scope	Window
Global	All traffic across all forms	Per minute
Per-form	Submissions to a single form	Per minute
Per-IP	All submissions from one IP	Per minute
Per-IP per-form	One IP to one specific form	Per minute

Each layer has independent thresholds. A request must pass all four to be accepted.

Redis-backed with in-memory fallback

Counters are stored in Upstash Redis for accuracy across serverless instances. If Redis is unreachable, Formtorch automatically falls back to an in-memory store, so rate limiting never becomes a point of failure for your forms.

What happens when a limit is hit

The endpoint returns 429 Too Many Requests with a Retry-After header. HTML form submissions receive a friendly error page. AJAX and JSON requests get a structured error response.

Legitimate users submitting at normal human pace are never affected.