Skip to main content
ThornGuard enforces per-license rate limits to prevent runaway AI agents from overwhelming your upstream MCP servers. Rate limiting runs after authentication and IP whitelist checks in the security pipeline.

How It Works

ThornGuard uses a per-license limiter backed primarily by a Cloudflare Durable Object, with a KV fallback path available for resilience:
  1. Each license hash maps to one rate-limiter object.
  2. Requests are counted in one-minute windows.
  3. The gateway checks the current window before proxying upstream.
  4. When the limit is exceeded, ThornGuard returns 429 Too Many Requests and includes a Retry-After header.

Default Thresholds

TierRequests per MinuteConfigurable
Individual1,000Not self-service today
EnterpriseUnlimited by default (0)Configurable per license
Rate limits exist in per-license settings, but they are not currently exposed as a self-service field in the live dashboard UI.

What Happens When Rate Limited

When a request exceeds the rate limit:
  • The proxy returns an HTTP 429 Too Many Requests response.
  • A BLOCKED_RATE_LIMIT action is logged in your audit trail.
  • The response includes a Retry-After header telling the client when the current window rolls over.
Counters reset automatically at the start of each new one-minute window.

Tier Detection

ThornGuard determines your plan tier automatically from your Polar.sh license:
  • Individual: limitActivations = 3
  • Enterprise: limitActivations >= 30
The tier is cached in Cloudflare KV alongside your license validation status for instant authorization on subsequent requests.