Skip to content

feat(api): add rate limiting to endpoint passthrough API#4439

Merged
wsxiaoys merged 1 commit into
nextfrom
feat/rate-limit
Feb 9, 2026
Merged

feat(api): add rate limiting to endpoint passthrough API#4439
wsxiaoys merged 1 commit into
nextfrom
feat/rate-limit

Conversation

@zwpaper

@zwpaper zwpaper commented Feb 9, 2026

Copy link
Copy Markdown
Member

Summary

  • Add per-user rate limiting using leaky-bucket algorithm for endpoint forwarding
  • Require authentication for endpoint access (returns 401 if no user)
  • Return 429 Too Many Requests when rate limit is exceeded
  • Improve error handling: forward 4xx errors from upstream, return 504 Gateway Timeout on timeout errors
  • Refactor: rename agent.rs to endpoint.rs, extract rate_limit.rs module

Configuration

Rate limiting is configured per-endpoint via the user_quota.requests_per_minute field in config.toml:

[[endpoints]]
name = "pochi"
api_route = "https://api.openai.com"
timeout = 5000
user_quota = { requests_per_minute = 30 }
headers = { Authorization = "Bearer xxx" }

Test plan

  • Test endpoint access without authentication returns 401
  • Test rate limiting triggers 429 after exceeding requests_per_minute
  • Test upstream 4xx errors are forwarded correctly
  • Test timeout returns 504 Gateway Timeout

🤖 Generated with Pochi | Task


Requests per minute would be converted into qps, and applied every second:

1800 requests per minutes:

image

- Add per-user rate limiting using leaky-bucket algorithm for endpoint forwarding
- Require authentication (401 Unauthorized if no user)
- Return 429 Too Many Requests when rate limit exceeded
- Improve error handling: forward 4xx errors, return 504 on timeout
- Refactor: rename agent.rs to endpoint.rs, extract rate_limit.rs

🤖 Generated with [Pochi](https://getpochi.com) | [Task](https://app.getpochi.com/share/p-49150d4e75774590b90800576e6c68c4)

Co-Authored-By: Pochi <noreply@getpochi.com>
@zwpaper zwpaper changed the base branch from main to next February 9, 2026 17:29
@zwpaper zwpaper requested a review from wsxiaoys February 9, 2026 17:30
@codecov

codecov Bot commented Feb 9, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 0% with 69 lines in your changes missing coverage. Please review.
⚠️ Please upload report for BASE (next@a24a1b5). Learn more about missing BASE report.

Files with missing lines Patch % Lines
crates/tabby/src/routes/endpoint.rs 0.00% 31 Missing ⚠️
crates/tabby/src/routes/rate_limit.rs 0.00% 27 Missing ⚠️
crates/tabby/src/serve.rs 0.00% 11 Missing ⚠️

❌ Your patch status has failed because the patch coverage (0.00%) is below the target coverage (75.00%). You can increase the patch coverage or adjust the target coverage.

Additional details and impacted files
@@           Coverage Diff           @@
##             next    #4439   +/-   ##
=======================================
  Coverage        ?   54.17%           
=======================================
  Files           ?      229           
  Lines           ?    27113           
  Branches        ?        0           
=======================================
  Hits            ?    14689           
  Misses          ?    12424           
  Partials        ?        0           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@wsxiaoys wsxiaoys merged commit 667b245 into next Feb 9, 2026
13 of 15 checks passed
@wsxiaoys wsxiaoys deleted the feat/rate-limit branch February 9, 2026 17:53
gunakarchalla pushed a commit to gunakarchalla/tabby that referenced this pull request May 19, 2026
- Add per-user rate limiting using leaky-bucket algorithm for endpoint forwarding
- Require authentication (401 Unauthorized if no user)
- Return 429 Too Many Requests when rate limit exceeded
- Improve error handling: forward 4xx errors, return 504 on timeout
- Refactor: rename agent.rs to endpoint.rs, extract rate_limit.rs

🤖 Generated with [Pochi](https://getpochi.com) | [Task](https://app.getpochi.com/share/p-49150d4e75774590b90800576e6c68c4)

Co-authored-by: Pochi <noreply@getpochi.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants