Rate Limiting
Formtorch applies rate limits at multiple layers to protect forms from abuse and ensure consistent performance for all users.
What gets rate limited
Rate limiting applies to the public form submission endpoint (POST /f/{formId}). The dashboard and API are governed by separate limits.
Submission rate limits
| Layer | Limit | Scope |
|---|---|---|
| IP burst | 10 requests / 10 seconds | Per IP address |
| IP + form | 30 requests / minute | Per IP per form |
| Form sustained | 100 requests / 5 minutes | Per form |
| Workspace quota | Your monthly plan limit | Per account |
Limits are enforced independently. A request must pass all layers to succeed.
Rate limit responses
When a rate limit is hit, Formtorch returns:
HTTP 429 Too Many Requests
Retry-After: <seconds>The Retry-After header tells clients how long to wait before retrying.
Monthly submission quota
Your plan includes a fixed number of submissions per month:
| Plan | Monthly submissions |
|---|---|
| Free | 150 |
| Starter | 1,000 |
| Pro | 5,000 |
Spam and test submissions don’t count toward your quota. The quota resets on the first day of each calendar month.
When the Free plan quota is reached, the form stops accepting submissions until the next reset. Starter and Pro plans may allow limited overages — see your billing settings for details.
You can monitor your current usage from Settings → Usage in the dashboard. A warning email is sent when you approach your limit.
Backends
Rate limits use Upstash Redis in production for distributed enforcement. In local development without Redis configured, an in-memory fallback is used automatically.
Exemptions
- Test submissions (
_test=true) don’t count against monthly quota but are still subject to per-IP and per-form rate limits - Spam submissions don’t count against monthly quota