Enterprise-grade protections against DoS, abuse, and noisy tenants. Multi-tenant fairness with per-IP and per-tenant rate limiting.Documentation Index
Fetch the complete documentation index at: https://docs.truthlocks.com/llms.txt
Use this file to discover all available pages before exploring further.
Rate Limiting
| Route Class | Limit Type | Rate | Burst |
|---|---|---|---|
| Public Verify | Per-IP | 50 r/s | 20 |
| Minting | Per-Tenant | 20 r/s | 10 |
| Governance | Per-Tenant | 10 r/s | 5 |
| General API | Per-IP | 100 r/s | 50 |
Request Size Limits
| Endpoint | Max Body Size |
|---|---|
| Global Default | 1 MB |
/v1/attestations | 512 KB |
Error Responses
| HTTP | Code | Description |
|---|---|---|
| 413 | PAYLOAD_TOO_LARGE | Request body exceeds size limit |
| 429 | RATE_LIMIT_EXCEEDED | Too many requests |
| 503 | SERVICE_UNAVAILABLE | Upstream temporarily unavailable |
Connection timeout protection
All API services enforce HTTP server timeouts that protect against slowloris-style denial-of-service attacks. These timeouts automatically close connections that send data too slowly, preventing a single attacker from exhausting server resources with many slow, open connections. This protection applies to every service behind the API gateway and requires no configuration on your part. If you are running long-polling or streaming requests, ensure your client sends data within the standard HTTP timeout window. Standard API requests are not affected.Algorithm Enforcement
Compliance Mapping
B2C
- Per-IP limits protect consumer endpoints * Privacy-first: only hashes logged * Rate limits explained as consumer protection
B2B
- Per-tenant quotas for SLA isolation * Audit retention for enterprise audits * Correlation IDs for SOC2/ISO27001
B2G
- Stricter governance route limits * Retention supports regulatory recordkeeping * Error taxonomy for legal defensibility
B2B2C
- Dual-layer limits (IP + tenant) * Offline bundle verification * Cross-org portability
Configuration
# Gateway (nginx.conf)