Rate limiting
How Blazeauth throttles websocket traffic, initialization attempts, and packet-specific flows.
Blazeauth uses several rate limits.
- Some limits reject the connection before WebSocket upgrade.
- Some limits close an already-open WebSocket session.
- Some limits return a normal JSON
status.
How it is surfaced
| Layer | What client receives | When it happens |
|---|---|---|
| Connection rate limit | HTTP 429 Too Many Requests + Retry-After header | Server rejects the connection before WebSocket upgrade. |
| Session traffic throttling | WebSocket close 4201 with reason rate limit hit | The connected session exceeds the shared traffic limit. |
| Initialize rate limit | WebSocket close 4201 with reason rate limited, N seconds left | Initialize is called too early after a previous limit hit. |
| Packet-specific throttling | Normal JSON response status, for example TooManyRequests | One packet has its own business-level throttling rules. |
Status vs close vs HTTP
WebSocket rate limits are usually returned as HTTP 429 or close code
4201. Packet-specific limits use normal JSON statuses such as
TooManyRequests.
Global session traffic limit
Current limit:
| Limit | Window | Scope |
|---|---|---|
60 client actions | 1 minute | One active WebSocket session |
This limit counts:
- normal client JSON packets
- WebSocket ping frames sent by client
If the limit is hit:
- the server closes the session with close code
4201 - close reason is
rate limit hit
Waiting before retry
Sometimes the server tells the client to wait before retrying.
If that happens:
- respect
Retry-Afterwhen the HTTP layer provides it - respect
N seconds leftwhen the close reason provides it - do not assume immediate reconnect will succeed
Before WebSocket upgrade
Sometimes the server rejects the connection before the WebSocket is even opened:
- HTTP status:
429 Too Many Requests - header:
Retry-After: N
In this case there is no WebSocket close code, because the socket was never opened.
During Initialize
Sometimes Initialize closes the socket with:
- the server closes the socket with
4201 - close reason is
rate limited, N seconds left
This is different from plain rate limit hit:
rate limit hitmeans the current session exceeded the live traffic windowrate limited, N seconds leftmeans client should wait before tryingInitializeagain
Packet-specific limits
Some limits belong to one specific packet and do not close the socket.
Create account
Create account has a separate limit for account creation without a license:
| Limit | Window | Scope | Result |
|---|---|---|---|
3 accounts | 24 hours | One client IP | JSON status TooManyRequests |
Notes:
- this limit applies to no-license account creation
- server may include
retry_afterin the response - client should keep the socket open and retry later instead of reconnecting immediately
Status code note
Global status code RateLimited exists in the public status enum, but current
documented WebSocket throttling flows are primarily exposed through:
- HTTP
429before upgrade - WebSocket close code
4201 - JSON status
TooManyRequestsfor packet-specific limits
Client rules
- Handle HTTP
429before assuming the WebSocket session even exists. - Handle WebSocket close
4201as a transport/session-level throttling event. - Treat
Retry-Afterheader and packetretry_afteras the authoritative backoff signal when present. - Do not spam ping frames; they participate in the same global session limit.
- Do not assume session resumption bypasses throttling. Immediate reconnects can still be rejected.