Open documentation index
Getting startedOverviewInstallationQuick startCore concepts
ConfigurationConfiguration referenceProvidersRouting and failoverRate limiting
OperationsStorageObservabilitySecurityTUI dashboardAI routing
ReferenceCLI referenceAdmin APITroubleshooting
Docs/Configuration/Rate limiting
Configuration

Rate limiting

Protect models and credentials with RPM, token, concurrency, and daily quota limits.

Limit levels

LevelConfigurationScope
Model RPMmodels[].requests_per_minuteAll traffic targeting one model.
Model concurrencymodels[].max_concurrent_requestsSimultaneous requests for one model.
Key RPMkeys[].requests_per_minuteRequests using one credential.
Key tokens/minutekeys[].tokens_per_minuteCombined input and output tokens for one key.
Key concurrencykeys[].max_concurrent_requestsSimultaneous requests using one key.
Daily request quotakeys[].daily_request_limitRequests per key per day.
Daily token quotakeys[].daily_token_limitTokens per key per day.

Evaluation order

  1. Model-wide RPM capacity is checked.
  2. Model-wide concurrency capacity is checked.
  3. The router filters key candidates using per-key minute, daily, and concurrency limits.
  4. The routing strategy selects one of the remaining candidates.
  5. Usage is updated from the request and provider response.

Model-level limits protect the complete route. Key-level limits protect individual provider credentials.

Configuration example

config.yaml
models:
  - id: production-chat
    provider_id: provider-a
    model_name: upstream-chat
    strategy: round_robin
    requests_per_minute: 200
    max_concurrent_requests: 20
    enabled: true

keys:
  - id: key-a
    provider_id: provider-a
    model_id: production-chat
    value_env: PROVIDER_KEY_A
    requests_per_minute: 60
    tokens_per_minute: 30000
    max_concurrent_requests: 4
    daily_request_limit: 5000
    daily_token_limit: 2000000

When capacity is exhausted

An exhausted key is skipped while another eligible key exists. When the complete model or group has no usable capacity, ModelMux returns HTTP 429.

A local 429 can therefore mean either the model-wide limit is full or every candidate key is unavailable, limited, disabled, invalid, or cooling down. Inspect key state and recent logs to identify the exact cause.

Restart semantics

Minute windows are maintained in memory and reset when the process restarts. Daily counters, key runtime state, quotas, and cooldowns can survive restarts when SQLite storage is enabled.

Do not use process restarts as a quota-reset mechanism. Provider-side limits remain in effect regardless of local state.

Capacity planning

  • Set local limits below provider-advertised limits when upstream enforcement is strict or bursty.
  • Reserve concurrency for health checks and operational tests.
  • Use token limits for workloads with highly variable prompt and response sizes.
  • Use model-wide limits to prevent a large key pool from exceeding application or infrastructure capacity.
  • Monitor cooldown frequency. Repeated cooldowns usually indicate local limits are too high or upstream capacity is insufficient.