Operational runbooks for SyntrixOne platform owners and workspace admins.
The exact limits enforced server-side.
5 per hour per IP and per email.
POST /api/auth/register: 5 attempts per hour per IP, 5 attempts per hour per email. Excess returns HTTP 429 with a Retry-After header.
Disposable-email checks run BEFORE the rate-limit counter increments, so blocked attempts do not exhaust legitimate users' budget.
5 per hour per IP and per email.
POST /api/auth/forgot: 5 per hour per IP (429), 5 per hour per email (200 with `throttled:true` to avoid account enumeration).
A Retry-After header is always included.
10 per day per email + 50 per day per IP.
POST /api/auth/resend-verification: 10 per day per email (primary limit) + 50 per day per IP (backstop against attackers spraying many addresses).
60-second cooldown between consecutive requests is enforced separately.
When a legitimate user is locked out.
Counters live in the `rate_limits` Mongo collection with TTL via `expiresAt`. To clear a specific user's counter:
db.rate_limits.deleteMany({ scope: "register_email", key: "<lowercase-email>" })
Replace the scope to clear other limiters (forgot_email, resend_verify_email, register_ip, …).
Reach the SyntrixOne platform team or browse the user-facing Help Center.
