FEATURES
Security & abuse
Rate limits, allowed domains, abuse signals, and signature verification.
Overview
Rate limits, allowed domains, abuse signals, and signature verification.
Who should use this
All customers — defaults apply; enterprise tunes limits.
Core concepts
429 with Retry-After. Abuse events visible in admin.
Setup
Configure allowedDomains on environment; review /security/rate-limits.
Required entitlement
custom_domains for domain allow-lists at scale.
Required permissions
environment.update for domains; platform.security.view for abuse admin.
REST API
Admin GET /admin/abuse-events; widget enforces domain + rate limit.
SDK (@startupcore/api-client)
startupCore.security (admin abuse list).
React components
<SecuritySettingsPanel />, <AllowedDomainsEditor />, <RateLimitSettings />.
Security notes
See /security/* guides for auth, webhooks, API keys.
Troubleshooting
429 — backoff using Retry-After header.