Public MCP rate limits
ProductAtlas rate limits the anonymous, read-only /mcp endpoint to protect the
public catalog from abuse and accidental request loops.
Current application default
The committed application default is 60 requests per 60-second fixed window for each directly observed remote IP address. There is no request queue. A deployment can override this configuration, and production edge controls such as Cloudflare may apply additional limits.
The application intentionally does not trust forwarded IP headers until the production proxy chain is explicitly configured. This prevents callers from choosing their own rate-limit partition through a spoofed header.
Limited response
When the application limit is exceeded, the HTTP response uses status 429 Too Many Requests, includes Retry-After when the limiter supplies it, and returns:
{
"code": "rate_limited",
"message": "The anonymous MCP request limit was exceeded. Retry later."
}
Client behavior
- Honor
Retry-After; do not retry immediately in a tight loop. - If the header is absent, wait until a later fixed window and use bounded exponential backoff with jitter.
- Avoid repeating identical searches. Retain compact results and the exact resolved release identity within the current task when appropriate.
- Retrieve
summaryfirst and request selected sections rather than repeatedly fetchingcompletedetail. - Follow
nextCursorsequentially and stop when it isnull.
Search pages default to 20 results and clamp the requested size to a maximum of
50. Larger limit values do not bypass response bounds.