Skip to content

fix: disable Better Auth API key rate limits#158

Open
R44VC0RP wants to merge 1 commit intomainfrom
fix/disable-better-auth-rate-limits
Open

fix: disable Better Auth API key rate limits#158
R44VC0RP wants to merge 1 commit intomainfrom
fix/disable-better-auth-rate-limits

Conversation

@R44VC0RP
Copy link
Collaborator

@R44VC0RP R44VC0RP commented Feb 2, 2026
edited by cursor bot
Loading

Summary

  • Disables Better Auth's per-API-key rate limiting in favor of Upstash Redis rate limiting

Problem

Users reported intermittent 401 "Authentication required" errors when making API calls (e.g., deleting email addresses). The actual cause was hitting Better Auth's rate limit (4 req/sec per key), but the error message was misleading.

Root cause: Better Auth's verifyApiKey() returns { valid: false } when rate-limited, and our E2 middleware treated all invalid responses as auth failures → 401.

Solution

Disable Better Auth rate limits entirely. Rate limiting is already handled by Upstash Redis in app/api/e2/lib/auth.ts which:

Feature Better Auth (disabled) Upstash (active)
Limit 4 req/sec per key 10 req/sec per user
Storage Postgres (DB write per request) Redis
Error response 401 (wrong) 429 with proper headers
Headers None X-RateLimit-*, Retry-After

Changes

  • lib/auth/auth.ts: Set rateLimit.enabled: false in apiKey plugin config

Testing

  • API calls that previously hit the 4/sec limit will now succeed (up to 10/sec)
  • Rate limit errors will correctly return 429 with helpful headers

Note

Medium Risk
Touches API key authentication behavior; disabling built-in throttling relies on external middleware being correctly configured, which could affect protection against abuse if misconfigured.

Overview
Disables Better Auth’s per-API-key rate limiting by setting apiKey().rateLimit.enabled to false in lib/auth/auth.ts.

Adds inline comments clarifying that rate limiting is handled elsewhere (Upstash in E2 middleware) to avoid duplicate limits and to return proper 429 responses instead of misleading 401s.

Written by Cursor Bugbot for commit b9de77e. This will update automatically on new commits. Configure here.

@R44VC0RP
fix: disable Better Auth API key rate limits
b9de77e 
Better Auth's per-key rate limiting was causing misleading 401 errors
when users exceeded the 4 req/sec limit. The error said 'Authentication
required' instead of indicating rate limiting.

Rate limiting is now handled solely by Upstash Redis in the E2 middleware
(app/api/e2/lib/auth.ts) which:
- Returns proper 429 status codes
- Includes standard rate limit headers (X-RateLimit-*, Retry-After)
- Uses sliding window algorithm (10 req/sec per user)
- Doesn't require DB writes on every request

Fixes intermittent 401 errors reported when deleting email addresses via API.
@vercel
Copy link
Contributor

vercel bot commented Feb 2, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
inbound.new Error Error Feb 2, 2026 5:29pm

Request Review

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tembo tembo[bot] tembo[bot] approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@R44VC0RP