baptisteArno · utsav1213 · Apr 16, 2026 · Apr 18, 2026 · Copilot · Apr 16, 2026
diff --git a/apps/builder/src/app/api/[[...rest]]/route.ts b/apps/builder/src/app/api/[[...rest]]/route.ts
@@ -115,6 +115,7 @@ async function handleRequest(
     const { response } = await handler.handle(resolvedRequest, {
       prefix: "/api",
       context: createContext({
+        req: request,
         authenticate: async () => {
           const user =
             (await auth())?.user ||

diff --git a/apps/builder/src/app/api/orpc/[[...rest]]/route.ts b/apps/builder/src/app/api/orpc/[[...rest]]/route.ts
@@ -15,6 +15,7 @@ async function handleRequest(request: Request) {
     const { response } = await handler.handle(request, {
       prefix: "/api/orpc",
       context: createContext({
+        req: request,
         authenticate: async () => {
           const session = await auth();
           if (!session?.user) return null;

diff --git a/bun.lock b/bun.lock
diff --git a/package.json b/package.json
@@ -58,6 +58,7 @@
     "@types/node": "^24.10.13",
     "esbuild": "^0.27.4",
     "husky": "^9.1.7",
+    "ioredis": "^5.4.1",
     "jiti": "2.6.1",
     "nx": "22.5.4",
     "rimraf": "^6.1.3",

diff --git a/packages/bot-engine/package.json b/packages/bot-engine/package.json
@@ -45,6 +45,7 @@
     "@typebot.io/theme": "workspace:*",
     "@typebot.io/typebot": "workspace:*",
     "@typebot.io/variables": "workspace:*",
+    "@upstash/ratelimit": "^0.4.3",
     "chrono-node": "2.7.6",
     "date-fns": "^2.30.0",
     "date-fns-tz": "^2.0.0",

diff --git a/packages/bot-engine/src/api/handleStartChatPreview.ts b/packages/bot-engine/src/api/handleStartChatPreview.ts
@@ -6,11 +6,14 @@ import {
 } from "@typebot.io/chat-api/schemas";
 import { restartSession } from "@typebot.io/chat-session/queries/restartSession";
 import { createId } from "@typebot.io/lib/createId";
+import { getIp } from "@typebot.io/lib/getIp";
 import { withSessionStore } from "@typebot.io/runtime-session-store";
+import { ORPCError } from "@orpc/server";
 import { z } from "zod";
 import { computeCurrentProgress } from "../computeCurrentProgress";
 import { saveStateToDatabase } from "../saveStateToDatabase";
 import { startSession } from "../startSession";
+import { startPreviewRateLimiter } from "../lib/rateLimiter";
 
 export const startPreviewChatInputSchema = z.object({
   typebotId: z
@@ -60,6 +63,7 @@ export const startPreviewChatInputSchema = z.object({
 
 type Context = {
   user: { id: string } | null;
+  req?: any;
-  req?: any;
+  req?: Request;
-  req?: any;
+  req?: Request;
 };
 
 export const handleStartChatPreview = async ({
@@ -74,11 +78,22 @@ export const handleStartChatPreview = async ({
     sessionId: sessionIdProp,
     textBubbleContentFormat,
   },
-  context: { user },
+  context: { user, req },
 }: {
   input: z.infer<typeof startPreviewChatInputSchema>;
   context: Context;
 }) => {
+  if (startPreviewRateLimiter) {
+    const ip = req ? getIp(req) : undefined;
-    const ip = req ? getIp(req) : undefined;
+    const headers = req?.headers
+      ? {
+          "x-forwarded-for":
+            typeof req.headers.get === "function"
+              ? (req.headers.get("x-forwarded-for") ?? undefined)
+              : req.headers["x-forwarded-for"],
+          "cf-connecting-ip":
+            typeof req.headers.get === "function"
+              ? (req.headers.get("cf-connecting-ip") ?? undefined)
+              : req.headers["cf-connecting-ip"],
+        }
+      : undefined;
+    const ip = headers ? getIp(headers) : undefined;
-    const ip = req ? getIp(req) : undefined;
+    const headers = req?.headers
+      ? {
+          "x-forwarded-for":
+            typeof req.headers.get === "function"
+              ? (req.headers.get("x-forwarded-for") ?? undefined)
+              : req.headers["x-forwarded-for"],
+          "cf-connecting-ip":
+            typeof req.headers.get === "function"
+              ? (req.headers.get("cf-connecting-ip") ?? undefined)
+              : req.headers["cf-connecting-ip"],
+        }
+      : undefined;
+    const ip = headers ? getIp(headers) : undefined;
+    const id = user?.id ?? ip ?? "unknown";
+    const { success } = await startPreviewRateLimiter.limit(id);
+    if (!success) {
+      throw new ORPCError("TOO_MANY_REQUESTS", {
+        message: "Rate limit exceeded. Please try again later.",
+      });
+    }
+  }
+
   const sessionId = sessionIdProp ?? createId();
   return withSessionStore(sessionId, async (sessionStore) => {
     const {

diff --git a/packages/bot-engine/src/lib/rateLimiter.ts b/packages/bot-engine/src/lib/rateLimiter.ts
@@ -0,0 +1,54 @@
+import { env } from "@typebot.io/env";
+import { Ratelimit } from "@upstash/ratelimit";
+import Redis from "ioredis";
+
+type Unit = "ms" | "s" | "m" | "h" | "d";
+type Duration = `${number} ${Unit}` | `${number}${Unit}`;
+
+type RateLimitConfig = {
+  requests: number;
+  window: Duration;
+  prefix?: string;
+};
+
+export const createRateLimiter = (config: RateLimitConfig) => {
+  if (!env.REDIS_URL) return;
+
+  const redis = new Redis(env.REDIS_URL);
+
+  const rateLimitCompatibleRedis = {
+    sadd: <TData>(key: string, ...members: TData[]) =>
+      redis.sadd(key, ...members.map((m) => String(m))),
+    eval: async <TArgs extends unknown[], TData = unknown>(
+      script: string,
+      keys: string[],
+      args: TArgs,
+    ) =>
+      redis.eval(
+        script,
+        keys.length,
+        ...keys,
+        ...(args ?? []).map((a) => String(a)),
+      ) as Promise<TData>,
+  };
+
+  return new Ratelimit({
+    redis: rateLimitCompatibleRedis as any,
+    limiter: Ratelimit.slidingWindow(config.requests, config.window),
+    prefix: config.prefix,
+  });
+};
+
+declare const window: { startPreviewRateLimiter: Ratelimit | undefined };
+
+const windowAny = globalThis as any;
+
+if (!windowAny.startPreviewRateLimiter && env.REDIS_URL) {
+  windowAny.startPreviewRateLimiter = createRateLimiter({
+    requests: 20,
+    window: "1 m",
+    prefix: "start-preview-ratelimit",
+  });
+}
+
+export const startPreviewRateLimiter = windowAny.startPreviewRateLimiter as Ratelimit | undefined;
-declare const window: { startPreviewRateLimiter: Ratelimit | undefined };
-
-const windowAny = globalThis as any;
-
-if (!windowAny.startPreviewRateLimiter && env.REDIS_URL) {
-  windowAny.startPreviewRateLimiter = createRateLimiter({
-    requests: 20,
-    window: "1 m",
-    prefix: "start-preview-ratelimit",
-  });
-}
-
-export const startPreviewRateLimiter = windowAny.startPreviewRateLimiter as Ratelimit | undefined;
+declare const global: {
+  startPreviewRateLimiter: Ratelimit | undefined;
+};
+
+if (!global.startPreviewRateLimiter && env.REDIS_URL) {
+  global.startPreviewRateLimiter = createRateLimiter({
+    requests: 20,
+    window: "1 m",
+    prefix: "start-preview-ratelimit",
+  });
+}
+
+export const startPreviewRateLimiter = global.startPreviewRateLimiter;
-declare const window: { startPreviewRateLimiter: Ratelimit | undefined };
-
-const windowAny = globalThis as any;
-
-if (!windowAny.startPreviewRateLimiter && env.REDIS_URL) {
-  windowAny.startPreviewRateLimiter = createRateLimiter({
-    requests: 20,
-    window: "1 m",
-    prefix: "start-preview-ratelimit",
-  });
-}
-
-export const startPreviewRateLimiter = windowAny.startPreviewRateLimiter as Ratelimit | undefined;
+declare const global: {
+  startPreviewRateLimiter: Ratelimit | undefined;
+};
+
+if (!global.startPreviewRateLimiter && env.REDIS_URL) {
+  global.startPreviewRateLimiter = createRateLimiter({
+    requests: 20,
+    window: "1 m",
+    prefix: "start-preview-ratelimit",
+  });
+}
+
+export const startPreviewRateLimiter = global.startPreviewRateLimiter;
diff --git a/packages/config/src/orpc/builder/context.ts b/packages/config/src/orpc/builder/context.ts
@@ -9,11 +9,14 @@ export type UserInOrpcContext = {
 
 export function createContext({
   authenticate,
+  req,
 }: {
   authenticate: () => Promise<UserInOrpcContext | null>;
+  req?: Request;
 }) {
   return {
     authenticate,
+    req,
   };
 }
 

diff --git a/packages/config/src/orpc/viewer/context.ts b/packages/config/src/orpc/viewer/context.ts
@@ -10,6 +10,7 @@ export function createContext({
     iframeReferrerOrigin:
       req.headers.get("x-typebot-iframe-referrer-origin") ?? undefined,
     authenticate,
+    req,
   };
 }
-Original file line number
+Diff line change
@@ Expand Up / @@ -10,6 +10,7 @@ export function createContext({ @@
         iframeReferrerOrigin:
           req.headers.get("x-typebot-iframe-referrer-origin") ?? undefined,
         authenticate,
+        req,
       };
     }
@@ Expand Down @@