We're still building things here! Help us improve by reporting bugs here.
Sign in

Security, Rate Limiting & Content Policy

Layered defenses — rate limits, CSP, and circuit breakers — that protect the platform from abuse, control costs, and keep service reliable for all customers.

What Is This Feature?

Running an AI assistant at scale means you're operating a service that could, in theory, be misused — flooded with automated requests, probed for weaknesses, or manipulated through malicious inputs. This feature covers the layered defenses that keep your platform secure, your costs predictable, and your customers' experiences uninterrupted: per-customer usage limits, content security policies, and automatic circuit breakers that protect your system when something upstream goes wrong.

Why It Matters to Your Business

Security and reliability are table stakes for enterprise sales. Customers want to know their data is protected, their usage won't be affected by someone else's abuse, and that the platform won't rack up unexpected costs on their behalf.

  • Cost protection. AI responses cost money — compute, API calls to LLM providers. Without limits, a single misconfigured integration or bad actor could generate thousands of dollars of unexpected charges overnight. Per-key rate limits put a hard ceiling on this.
  • Fair service for everyone. If one customer's integration goes rogue and sends thousands of requests per minute, it shouldn't degrade the experience for other customers. Rate limiting ensures fair resource distribution.
  • Protection from web attacks. Content Security Policies (CSP) prevent a class of web attacks where malicious scripts are injected into your pages. Violations are automatically reported and aggregated, giving your security team visibility without manual monitoring.
  • Graceful degradation. When an upstream AI provider has an outage or becomes slow, you don't want that to take your entire platform down. Automatic circuit breakers detect the problem and route traffic away from the failing provider, keeping your service up for customers.

How It Works (No Technical Jargon)

Rate Limiting

Quotas can be set per customer, per integration, or globally. Legitimate customers who hit their limit by accident can request an increase through a self-service flow.

Content Security Policy (CSP)

Circuit Breakers

What You Can See and Control

  • Real-time quota usage per API key, with alerts when limits are approached
  • A log of rejected requests (who was rate limited, when, how often)
  • A feed of Content Security Policy violations, grouped by type
  • The current state of each circuit breaker (healthy, degraded, open)
  • Controls to temporarily raise quotas for specific customers or integrations

What to Expect on the Roadmap

The team is building:

1. Per-API-key quota middleware with real-time tracking and monitoring dashboards (estimated 3 weeks)
2. CSP violation reporting and alerting
3. Circuit breaker wrappers for all external AI provider connections

Once live, you'll have clear controls and visibility over platform usage, with automatic protection against both external abuse and upstream failures.