Security
Rate Limiting
Protect API routes with sliding-window rate limiting.
Creator uses Upstash Redis with a sliding-window algorithm to rate limit API routes. Configuration lives in lib/rate-limit.ts.
Setup
Set the Upstash environment variables:
UPSTASH_REDIS_REST_URL=""
UPSTASH_REDIS_REST_TOKEN=""Rate limiting is optional — if these variables are not set, the limiter won't initialize.
Tiers
Three tiers are defined out of the box:
| Tier | Limit | Use case |
|---|---|---|
auth | 10 requests / 60s | Login, register, forgot password, OTP |
sensitive | 5 requests / 60s | OTP verification, email change |
api | 60 requests / 60s | General API endpoints |
Usage
Call rateLimit() at the top of any API route. It returns a 429 response if the limit is exceeded, or null if the request is allowed.
import { rateLimit } from "@/lib/rate-limit";
export async function POST(request: Request) {
const limited = await rateLimit(request, "auth");
if (limited) return limited;
// Handle request...
}Adding a new tier
Add a new entry to the limiters object in lib/rate-limit.ts:
const limiters = {
// ...existing tiers
upload: new Ratelimit({
redis: Redis.fromEnv(),
limiter: Ratelimit.slidingWindow(20, "60 s"),
prefix: "rl:upload",
}),
};The new tier is immediately available via rateLimit(request, "upload").