Plugins

Rate Limiting Plugin

The Rate Limiting plugin caps the number of actions an agent can request per time window. Limits are enforced per agent, per action type, or globally. State is stored in Redis for sub-millisecond checks.

Configuration

Environment variables

# Global rate limit across all agents (requests/minute)
RATE_LIMIT_GLOBAL_RPM=1000

# Per-agent rate limit (requests/minute)
RATE_LIMIT_PER_AGENT_RPM=100

# Burst allowance above the per-minute limit
RATE_LIMIT_BURST=20

# Algorithm: sliding_window | token_bucket | fixed_window
RATE_LIMIT_ALGORITHM=sliding_window

Per-Action Limits in Rego

You can also define action-level limits directly in your OPA policy. The Engine injects the current request count as input.rate.count and input.rate.window_ms.

policy/rate_limit.rego

package lelu.authz

import future.keywords

# Stricter limit for destructive actions
deny[msg] {
  input.action == "delete_records"
  input.rate.count > 10
  msg := "delete_records: exceeded 10/min rate limit"
}

HTTP Response on Limit Exceeded

HTTP 429

HTTP/1.1 429 Too Many Requests
Retry-After: 42
X-RateLimit-Limit: 100
X-RateLimit-Remaining: 0
X-RateLimit-Reset: 1737000000

{
  "error": "rate_limit_exceeded",
  "retry_after_seconds": 42
}

Previous: Audit Plugin Next: Production Guide