From 5c0eca118773b3811ba118f3eeac759eddb09de0 Mon Sep 17 00:00:00 2001 From: rohan Date: Fri, 5 Dec 2025 14:34:15 +0530 Subject: [PATCH 1/7] feat: add docs for cloud and self hosted rate limiting Signed-off-by: rohan --- src/pages/public-api/index.mdx | 29 +++++++++++++++++++ .../self-hosting/configuration/envars.mdx | 5 ++++ 2 files changed, 34 insertions(+) diff --git a/src/pages/public-api/index.mdx b/src/pages/public-api/index.mdx index 2b1a6957..a3934472 100644 --- a/src/pages/public-api/index.mdx +++ b/src/pages/public-api/index.mdx @@ -68,3 +68,32 @@ curl https://api.phase.dev/v1/secrets/?app_id=8d8fde43-ceb6-4c92-a776-827433512f ## Encryption Mode Certain API endpoints that allow manipulation of encrypted data such as Secrets require Server-side Encryption (SSE) to be enabled for the App. You can enable SSE for an App from the [App settings page](/console/apps#settings). + +## Rate Limits + +The Phase Cloud API enforces rate limiting to ensure fair usage and maintain optimal performance for all users. The following standard rate limits apply, based on your Organisation's plan: + +| Plan | Requests per Minute | +|------|---------------------| +| Free | 120 | +| Pro | 240 | +| Enterprise | Custom | + +If you exceed the allowed number of requests within a given time frame, you will receive a `429 Too Many Requests` response. The response will include information about when you can retry your request in the `retry-after` header.: + +```bash +HTTP/2 429 +server: nginx +date: Fri, 05 Dec 2025 07:18:01 GMT +content-type: application/json +content-length: 68 +retry-after: 52 +allow: GET, POST, PUT, DELETE, HEAD, OPTIONS +x-frame-options: DENY +vary: Origin +x-content-type-options: nosniff +referrer-policy: same-origin +cross-origin-opener-policy: same-origin +``` + +Self-hosted Phase instances do not enforce rate limiting by default. However, administrators can configure rate limiting based on their requirements via the `RATE_LIMIT_DEFAULT` environment variable. Please see the self hosting [deployment configuration documentation](/self-hosting/configuration/envars#additional-environment-variables) for more details. \ No newline at end of file diff --git a/src/pages/self-hosting/configuration/envars.mdx b/src/pages/self-hosting/configuration/envars.mdx index 14c8f09f..d1cdd1e1 100644 --- a/src/pages/self-hosting/configuration/envars.mdx +++ b/src/pages/self-hosting/configuration/envars.mdx @@ -932,4 +932,9 @@ These variables are not required if using the suggested [docker-compose template Example: `phase_license:v1:...` Referenced by the [`backend`](https://hub.docker.com/r/phasehq/backend) and [`worker`](https://hub.docker.com/r/phasehq/backend) containers. + + Rate limit for API requests. + Example: `100/minute`. Rate limits can be specified over a period of second, minute, hour or day. The period must be specified after the / separator using s, m, h or d, respectively. For increased clarity, extended units such as second, minute, hour, day or even abbreviations like sec, min, hr are allowed, as only the first character is relevant to identify the rate. + Referenced by the [`backend`](https://hub.docker.com/r/phasehq/backend) and [`worker`](https://hub.docker.com/r/phasehq/backend) containers. + From 7c9d8d6141254646f53605b46c0b3f55126e5279 Mon Sep 17 00:00:00 2001 From: Rohan Chaturvedi Date: Fri, 5 Dec 2025 14:41:45 +0530 Subject: [PATCH 2/7] Update src/pages/public-api/index.mdx Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- src/pages/public-api/index.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pages/public-api/index.mdx b/src/pages/public-api/index.mdx index a3934472..bf1db04c 100644 --- a/src/pages/public-api/index.mdx +++ b/src/pages/public-api/index.mdx @@ -79,7 +79,7 @@ The Phase Cloud API enforces rate limiting to ensure fair usage and maintain opt | Pro | 240 | | Enterprise | Custom | -If you exceed the allowed number of requests within a given time frame, you will receive a `429 Too Many Requests` response. The response will include information about when you can retry your request in the `retry-after` header.: +If you exceed the allowed number of requests within a given time frame, you will receive a `429 Too Many Requests` response. The response will include information about when you can retry your request in the `retry-after` header. ```bash HTTP/2 429 From 99556ced2bc68a04a08c43dae58d7b649f4eaffb Mon Sep 17 00:00:00 2001 From: Rohan Chaturvedi Date: Fri, 5 Dec 2025 14:41:51 +0530 Subject: [PATCH 3/7] Update src/pages/public-api/index.mdx Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- src/pages/public-api/index.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pages/public-api/index.mdx b/src/pages/public-api/index.mdx index bf1db04c..feb5dbba 100644 --- a/src/pages/public-api/index.mdx +++ b/src/pages/public-api/index.mdx @@ -96,4 +96,4 @@ referrer-policy: same-origin cross-origin-opener-policy: same-origin ``` -Self-hosted Phase instances do not enforce rate limiting by default. However, administrators can configure rate limiting based on their requirements via the `RATE_LIMIT_DEFAULT` environment variable. Please see the self hosting [deployment configuration documentation](/self-hosting/configuration/envars#additional-environment-variables) for more details. \ No newline at end of file +Self-hosted Phase instances do not enforce rate limiting by default. However, administrators can configure rate limiting based on their requirements via the `RATE_LIMIT_DEFAULT` environment variable. Please see the self-hosting [deployment configuration documentation](/self-hosting/configuration/envars#additional-environment-variables) for more details. \ No newline at end of file From 5ffaa5ac2fd7557c4abcff9ed1de7e3d56d52064 Mon Sep 17 00:00:00 2001 From: Nimish Date: Fri, 12 Dec 2025 15:34:14 +0530 Subject: [PATCH 4/7] docs: add Redis_SSL environment variable documentation for backend and worker containers --- src/pages/self-hosting/configuration/envars.mdx | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/pages/self-hosting/configuration/envars.mdx b/src/pages/self-hosting/configuration/envars.mdx index d1cdd1e1..138faa0b 100644 --- a/src/pages/self-hosting/configuration/envars.mdx +++ b/src/pages/self-hosting/configuration/envars.mdx @@ -418,6 +418,13 @@ Env(s) required by the following containers: The password for the Redis server. Can be mounted from a file by suffixing `_FILE` to the key, pointing to a filepath. + Required by the [`backend`](https://hub.docker.com/r/phasehq/backend) and [`worker`](https://hub.docker.com/r/phasehq/backend) containers. + + + Enables or disables SSL for Redis connections. Defaults to `False`. + + The value is considered `True` if the environment variable is set to `"true"` (case-insensitive). + Required by the [`backend`](https://hub.docker.com/r/phasehq/backend) and [`worker`](https://hub.docker.com/r/phasehq/backend) containers. From 6e750bb29b17d76bd5f47437e5164b3eda92f11b Mon Sep 17 00:00:00 2001 From: Nimish Date: Sat, 20 Dec 2025 16:42:42 +0530 Subject: [PATCH 5/7] docs: clarify rate limiting enforcement details in API documentation --- src/pages/public-api/index.mdx | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/pages/public-api/index.mdx b/src/pages/public-api/index.mdx index feb5dbba..4ee5c4d2 100644 --- a/src/pages/public-api/index.mdx +++ b/src/pages/public-api/index.mdx @@ -79,6 +79,10 @@ The Phase Cloud API enforces rate limiting to ensure fair usage and maintain opt | Pro | 240 | | Enterprise | Custom | + +The rate limits are enforced per account (User or Service Account) across an organisation. + + If you exceed the allowed number of requests within a given time frame, you will receive a `429 Too Many Requests` response. The response will include information about when you can retry your request in the `retry-after` header. ```bash From 8c9b06cb47ce574c321ab56683370f482eb1bd1c Mon Sep 17 00:00:00 2001 From: Nimish Date: Tue, 30 Dec 2025 19:28:05 +0530 Subject: [PATCH 6/7] docs: enhance Redis configuration documentation with ACL and SSL details --- src/pages/self-hosting/configuration/envars.mdx | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/src/pages/self-hosting/configuration/envars.mdx b/src/pages/self-hosting/configuration/envars.mdx index 138faa0b..102c84aa 100644 --- a/src/pages/self-hosting/configuration/envars.mdx +++ b/src/pages/self-hosting/configuration/envars.mdx @@ -404,6 +404,12 @@ Env(s) required by the following containers: ## Redis configuration +Phase uses Redis or Valkey for a synchronous jobs queues, caching and rate limiting. + + + If your Redis or Valkey instance support ACLs, make sure it's set up with at least `on ~* -@all +@read +@write` access string (ACL) permissions. + + The Redis server hostname. Defaults to `redis`. @@ -427,6 +433,17 @@ Env(s) required by the following containers: Required by the [`backend`](https://hub.docker.com/r/phasehq/backend) and [`worker`](https://hub.docker.com/r/phasehq/backend) containers. + + The username for the Redis server. Required if your Redis instance has ACLs enabled. + + Required by the [`backend`](https://hub.docker.com/r/phasehq/backend) and [`worker`](https://hub.docker.com/r/phasehq/backend) containers. + + + Path to the CA certificate bundle for verifying Redis SSL certificates. Required if `REDIS_SSL` is set to `True`. + Example: `/etc/ssl/certs/ca-certificates.crt` + If you using a self-signed certificate, you can set this to the path to the certificate bundle. Sames goes for a certificate bundle for a managed service like Redis Cloud which may not be available in the default certificate bundle. + Required by the [`backend`](https://hub.docker.com/r/phasehq/backend) and [`worker`](https://hub.docker.com/r/phasehq/backend) containers. + --- From 98b253d7e20c9289d411b05c08795ce13aed0e3f Mon Sep 17 00:00:00 2001 From: Nimish Date: Tue, 30 Dec 2025 19:31:56 +0530 Subject: [PATCH 7/7] docs: add DATABASE_SSL and DATABASE_SSL_CA_PATH environment variable documentation for backend and worker containers --- .../self-hosting/configuration/envars.mdx | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/src/pages/self-hosting/configuration/envars.mdx b/src/pages/self-hosting/configuration/envars.mdx index 102c84aa..0eaa2d5d 100644 --- a/src/pages/self-hosting/configuration/envars.mdx +++ b/src/pages/self-hosting/configuration/envars.mdx @@ -398,6 +398,22 @@ Env(s) required by the following containers: Referenced by the [`backend`](https://hub.docker.com/r/phasehq/backend) container. + + Enables or disables SSL/TLS for database connections. Defaults to `False`. + + When `False` or unset, Phase uses the default `sslmode=prefer`, which attempts a TLS connection but falls back to plaintext if TLS is unavailable. When `True`, Phase enforces a TLS connection. + + Required by the [`backend`](https://hub.docker.com/r/phasehq/backend) and [`worker`](https://hub.docker.com/r/phasehq/backend) containers. + + + Path to the CA certificate bundle for verifying the database's TLS certificate. + + If provided, Phase sets `sslmode=verify-full` and validates the database certificate against this CA, including a hostname check. If not provided (but `DATABASE_SSL=True`), Phase sets `sslmode=require`. + + For AWS RDS, Phase includes the RDS CA bundle at `/etc/ssl/certs/rds-ca-bundle.pem` which you can point this variable to. + + Required by the [`backend`](https://hub.docker.com/r/phasehq/backend) and [`worker`](https://hub.docker.com/r/phasehq/backend) containers. + --- @@ -438,7 +454,7 @@ Phase uses Redis or Valkey for a synchronous jobs queues, caching and rate limit Required by the [`backend`](https://hub.docker.com/r/phasehq/backend) and [`worker`](https://hub.docker.com/r/phasehq/backend) containers. - + Path to the CA certificate bundle for verifying Redis SSL certificates. Required if `REDIS_SSL` is set to `True`. Example: `/etc/ssl/certs/ca-certificates.crt` If you using a self-signed certificate, you can set this to the path to the certificate bundle. Sames goes for a certificate bundle for a managed service like Redis Cloud which may not be available in the default certificate bundle.