Appearance
Rate Limit
The Rate Limit node throttles pipeline execution to prevent abuse. It tracks request counts per IP address, user, or globally using WordPress transients. If the limit is exceeded, it returns an error and blocks downstream execution.
Configuration
| Property | Type | Default | Description |
|---|---|---|---|
maxRequests | number | 5 | Maximum number of requests allowed within the time window. |
windowSeconds | number | 60 | Time window in seconds. The counter resets after this period. |
scope | string | ip | How to identify the requester: ip, user, or global. |
Scope Options
| Scope | Description |
|---|---|
ip | Rate limit per client IP address. Different users on the same network share the limit. |
user | Rate limit per logged-in WordPress user ID. Anonymous users share a single bucket (user ID 0). |
global | Rate limit shared across all requests. Useful for protecting expensive operations. |
Input
Accepts any data type. The node does not inspect the input -- it only checks and increments the rate counter.
Output
- Under limit: Returns the input data unchanged, and increments the request counter.
- Over limit: Returns an error object:
json
{
"_valid": false,
"_errors": ["Rate limit exceeded. Please try again in 60 seconds."],
"_rate_limited": true
}How It Works
- The node builds a unique identifier based on the
scopesetting (IP address, user ID, orglobal). - It creates a transient key:
nxs_rl_+ MD5 of the identifier. - It reads the current count from the WordPress transient.
- If the count exceeds
maxRequests, it returns an error. - Otherwise, it increments the counter and sets the transient with the
windowSecondsexpiration.
The transient automatically expires after windowSeconds, effectively resetting the counter.
Example Use Cases
Prevent form spam (5 submissions per minute per IP)
maxRequests: 5
windowSeconds: 60
scope: "ip"Limit API calls (100 per hour per user)
maxRequests: 100
windowSeconds: 3600
scope: "user"Protect an expensive report (10 per hour globally)
maxRequests: 10
windowSeconds: 3600
scope: "global"Typical pipeline placement
Place Rate Limit early in the pipeline, before any expensive operations:
Context --> Rate Limit --> Require Auth --> Validate --> Sanitize --> Save Row --> OutputTIP
Combine Rate Limit with Require Auth and Validate for a defense-in-depth approach to form security.
WARNING
Rate limiting uses WordPress transients, which are stored in the database (or object cache if configured). On high-traffic sites, use scope: "ip" or scope: "user" rather than scope: "global" to avoid contention.