yunxiafei/openclaw-mission-control
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs: update api.md and authentication.md for Redis rate-limit backend and token logging

Browse Source 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Hugh Brown
2026-03-04 11:33:04 -07:00
committed by Abhimanyu Saharan
parent 72241d6870
commit 494bf4649e
2 changed files with 10 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
docs/reference/api.md
View File

@@ -79,7 +79,7 @@ Each header is configurable via `SECURITY_HEADER_*` environment variables. Set a
## Rate limits
The following per-IP rate limits are enforced in-memory per backend process:
The following per-IP rate limits are enforced on sensitive endpoints:
| Endpoint | Limit | Window |
| --- | --- | --- |
@@ -88,7 +88,14 @@ The following per-IP rate limits are enforced in-memory per backend process:
When a rate limit is exceeded, the API returns `429 Too Many Requests`.
> **Note:** These limits are per-process. Multi-process deployments should also apply rate limiting at the reverse proxy layer (nginx `limit_req`, Caddy, etc.).
Set `RATE_LIMIT_BACKEND` to choose the storage backend:
| Backend | Value | Behavior |
| --- | --- | --- |
| In-memory (default) | `memory` | Per-process limits; no external dependencies. |
| Redis | `redis` | Shared across all workers. Set `RATE_LIMIT_REDIS_URL` or it falls back to `RQ_REDIS_URL`. Connectivity is validated at startup; transient failures fail open. |
> **Note:** When using the in-memory backend, limits are per-process. Multi-process deployments should either switch to the Redis backend or apply rate limiting at the reverse proxy layer (nginx `limit_req`, Caddy, etc.).
## Request IDs

2
docs/reference/authentication.md
View File

@@ -36,4 +36,4 @@ Autonomous agents authenticate via an `X-Agent-Token` header (not the bearer tok
Security notes:
- Agent auth is rate-limited to **20 requests per 60 seconds per IP**. Exceeding this returns `429 Too Many Requests`.
- Agent tokens are **not logged** on authentication failure — not even partially. If debugging agent auth issues, verify the token value at the source rather than looking for it in server logs.
- On authentication failure, only a short prefix of the presented token is logged to aid debugging. Full tokens are never written to logs.