Rate limits_

If you disabled rate limits during development, make sure you re-enable them when moving to production environments. Rate limiting can be enabled by setting the _APP_OPTIONS_ABUSE environment variable to enabled.

Rate limits are an important mechanism to protect your app. Without rate limits, malicious actors can spam your APIs to perform denial-of-service type attacks or brute-force user passwords.

How rate limits work

Rate limits in self-hosted Appwrite apply differently depending on how you're accessing the API:

• Client SDKs: Rate limits apply to all requests from client applications
• Server SDKs with API keys: Rate limits do not apply when using API keys

Abuse log retention

Configure how long abuse attempt logs are retained using the _APP_MAINTENANCE_RETENTION_ABUSE environment variable. The default value is 86400 seconds (1 day).

_APP_MAINTENANCE_RETENTION_ABUSE=86400

Shorter retention periods reduce storage usage, while longer periods provide better security audit trails.

Development vs production

For development environments, you can temporarily disable rate limits to avoid interruptions during testing:

_APP_OPTIONS_ABUSE=disabled

Important: Always re-enable rate limits before deploying to production by setting:

_APP_OPTIONS_ABUSE=enabled