Skip to main content

Public MCP rate limits

ProductAtlas rate limits the anonymous, read-only /mcp endpoint to protect the public catalog from abuse and accidental request loops.

Current application default

The committed application default is 60 requests per 60-second fixed window for each directly observed remote IP address. There is no request queue. A deployment can override this configuration, and production edge controls such as Cloudflare may apply additional limits.

The application intentionally does not trust forwarded IP headers until the production proxy chain is explicitly configured. This prevents callers from choosing their own rate-limit partition through a spoofed header.

Limited response

When the application limit is exceeded, the HTTP response uses status 429 Too Many Requests, includes Retry-After when the limiter supplies it, and returns:

{
"code": "rate_limited",
"message": "The anonymous MCP request limit was exceeded. Retry later."
}

Client behavior

  1. Honor Retry-After; do not retry immediately in a tight loop.
  2. If the header is absent, wait until a later fixed window and use bounded exponential backoff with jitter.
  3. Avoid repeating identical searches. Retain compact results and the exact resolved release identity within the current task when appropriate.
  4. Retrieve summary first and request selected sections rather than repeatedly fetching complete detail.
  5. Follow nextCursor sequentially and stop when it is null.

Search pages default to 20 results and clamp the requested size to a maximum of 50. Larger limit values do not bypass response bounds.