Skip to content

MCP Rate Limits

The MCP gateway enforces a per-organization token bucket, independent of the REST API limits:

WindowLimit
Per minute120 requests
Per day50,000 requests
Burst120

Limits are keyed per organization (resolved from your API key), so all clients sharing a credential draw from the same bucket. When a tenant exceeds the limit, the call is rejected at the rate-limit stage of the gateway — before the allowlist, audit, or tool handler runs — and the client receives a JSON-RPC error.

The limiter is backed by Redis. In production the server refuses to start without Redis; an in-memory fallback exists only for local development and must be explicitly enabled with MCP_ALLOW_MEMORY_RATE_LIMITER=true.

Design agents to back off

Agents that loop over many objects should pace their calls and handle rate-limit errors with a short backoff. Prefer search_media and list_objects with pagination over issuing one tool call per object.

Released under the AGPL-3.0 License.