Current limits
| Endpoint | Limit | Window |
|---|---|---|
POST /api/v2/slowdns/code/issue |
3 requests | Per IP per hour |
POST /api/v2/slowdns/code/issue |
10 requests | Per IP per 24 hours |
POST /api/v2/slowdns/code/issue |
2 requests | Per browser session per hour |
POST /api/v2/slowdns/code/issue |
6 requests | Per browser fingerprint per 24 hours |
POST /api/v2/slowdns/install/precheck |
10 requests | Per IP and per machine per 24 hours |
POST /api/v2/slowdns/install/activate |
5 requests | Per IP and per machine per 24 hours |
The confirm and release endpoints are not rate-limited — they require a valid activation ID and signed token, which already act as a hard cap.
What a 429 looks like
When the limit is exceeded the server returns HTTP 429 with this body:
{
"error": {
"code": "rate_limit_exceeded",
"message": "Too many requests. Please wait before trying again."
}
}The public code-issue endpoint also requires a valid browser session cookie from /slowdns. Even if the IP limit has not been reached, the request can still be rejected if the browser session expired or if the browser-session bucket has been exhausted.
How windows are counted
Windows are fixed UTC time buckets, not rolling windows. The hourly bucket for issue_code resets at each UTC hour boundary (for example 14:00, 15:00). The daily buckets for issue_code, precheck, and activate reset at UTC midnight. If you are right at the window boundary, the limit resets within the next minute.