feat: add docs for cloud and self hosted rate limiting

src/pages/public-api/index.mdx

@@ -68,3 +68,36 @@ curl https://api.phase.dev/v1/secrets/?app_id=8d8fde43-ceb6-4c92-a776-827433512f
 ## Encryption Mode
 
 Certain API endpoints that allow manipulation of encrypted data such as Secrets require Server-side Encryption (SSE) to be enabled for the App. You can enable SSE for an App from the [App settings page](/console/apps#settings).
+
+## Rate Limits
+
+The Phase Cloud API enforces rate limiting to ensure fair usage and maintain optimal performance for all users. The following standard rate limits apply, based on your Organisation's plan:
+
+| Plan | Requests per Minute |
+|------|---------------------|
+| Free | 120                  |
+| Pro  | 240                 |
+| Enterprise | Custom |
+
+<Note>
+The rate limits are enforced per account (User or Service Account) across an organisation.
+</Note>
+
+If you exceed the allowed number of requests within a given time frame, you will receive a `429 Too Many Requests` response. The response will include information about when you can retry your request in the `retry-after` header.
+
+```bash
+HTTP/2 429 
+server: nginx
+date: Fri, 05 Dec 2025 07:18:01 GMT
+content-type: application/json
+content-length: 68
+retry-after: 52
+allow: GET, POST, PUT, DELETE, HEAD, OPTIONS
+x-frame-options: DENY
+vary: Origin
+x-content-type-options: nosniff
+referrer-policy: same-origin
+cross-origin-opener-policy: same-origin
+```
+
+Self-hosted Phase instances do not enforce rate limiting by default. However, administrators can configure rate limiting based on their requirements via the `RATE_LIMIT_DEFAULT` environment variable. Please see the self-hosting [deployment configuration documentation](/self-hosting/configuration/envars#additional-environment-variables) for more details.

src/pages/self-hosting/configuration/envars.mdx

@@ -398,12 +398,34 @@ Env(s) required by the following containers:
 
     Referenced by the [`backend`](https://hub.docker.com/r/phasehq/backend) container.
   </Property>
+  <Property name="DATABASE_SSL" type="boolean">
+    Enables or disables SSL/TLS for database connections. Defaults to `False`. 
+
+    When `False` or unset, Phase uses the default `sslmode=prefer`, which attempts a TLS connection but falls back to plaintext if TLS is unavailable. When `True`, Phase enforces a TLS connection.
+
+    Required by the [`backend`](https://hub.docker.com/r/phasehq/backend) and [`worker`](https://hub.docker.com/r/phasehq/backend) containers.
+  </Property>
+  <Property name="DATABASE_SSL_CA_PATH" type="string (Optional)">
+    Path to the CA certificate bundle for verifying the database's TLS certificate.
+
+    If provided, Phase sets `sslmode=verify-full` and validates the database certificate against this CA, including a hostname check. If not provided (but `DATABASE_SSL=True`), Phase sets `sslmode=require`.
+
+    For AWS RDS, Phase includes the RDS CA bundle at `/etc/ssl/certs/rds-ca-bundle.pem` which you can point this variable to.
+
+    Required by the [`backend`](https://hub.docker.com/r/phasehq/backend) and [`worker`](https://hub.docker.com/r/phasehq/backend) containers.
+  </Property>
 </Properties>
 
 ---
 
 ## Redis configuration
 
+Phase uses Redis or Valkey for a synchronous jobs queues, caching and rate limiting.
+
+<Note>
+  If your Redis or Valkey instance support ACLs, make sure it's set up with at least `on ~* -@all +@read +@write` access string (ACL) permissions.
+</Note>
+
 <Properties>
   <Property name="REDIS_HOST" type="string">
     The Redis server hostname. Defaults to `redis`.
@@ -420,6 +442,24 @@ Env(s) required by the following containers:
 
     Required by the [`backend`](https://hub.docker.com/r/phasehq/backend) and [`worker`](https://hub.docker.com/r/phasehq/backend) containers.
   </Property>
+  <Property name="REDIS_SSL" type="boolean">
+    Enables or disables SSL for Redis connections. Defaults to `False`.
+
+    The value is considered `True` if the environment variable is set to `"true"` (case-insensitive).
+
+    Required by the [`backend`](https://hub.docker.com/r/phasehq/backend) and [`worker`](https://hub.docker.com/r/phasehq/backend) containers.
+  </Property>
+  <Property name="REDIS_USERNAME" type="string (Optional)">
+    The username for the Redis server. Required if your Redis instance has ACLs enabled.
+
+    Required by the [`backend`](https://hub.docker.com/r/phasehq/backend) and [`worker`](https://hub.docker.com/r/phasehq/backend) containers.
+  </Property>
+  <Property name="REDIS_SSL_CA_PATH" type="string (Optional)">
+    Path to the CA certificate bundle for verifying Redis SSL certificates. Required if `REDIS_SSL` is set to `True`.
+    Example: `/etc/ssl/certs/ca-certificates.crt`
+    If you using a self-signed certificate, you can set this to the path to the certificate bundle. Sames goes for a certificate bundle for a managed service like Redis Cloud which may not be available in the default certificate bundle.
+    Required by the [`backend`](https://hub.docker.com/r/phasehq/backend) and [`worker`](https://hub.docker.com/r/phasehq/backend) containers.
+  </Property>
 </Properties>
 
 ---
@@ -932,4 +972,9 @@ These variables are not required if using the suggested [docker-compose template
     Example: `phase_license:v1:...`
     Referenced by the [`backend`](https://hub.docker.com/r/phasehq/backend) and [`worker`](https://hub.docker.com/r/phasehq/backend) containers.
   </Property>
+  <Property name="RATE_LIMIT_DEFAULT" type="string">
+    Rate limit for API requests.
+    Example: `100/minute`. Rate limits can be specified over a period of second, minute, hour or day. The period must be specified after the / separator using s, m, h or d, respectively. For increased clarity, extended units such as second, minute, hour, day or even abbreviations like sec, min, hr are allowed, as only the first character is relevant to identify the rate. 
+    Referenced by the [`backend`](https://hub.docker.com/r/phasehq/backend) and [`worker`](https://hub.docker.com/r/phasehq/backend) containers.
+  </Property>
 </Properties>