FEATURES

Security & abuse

Rate limits, allowed domains, abuse signals, and signature verification.

Overview

Rate limits, allowed domains, abuse signals, and signature verification.

Who should use this

All customers — defaults apply; enterprise tunes limits.

Core concepts

429 with Retry-After. Abuse events visible in admin.

Setup

Configure allowedDomains on environment; review /security/rate-limits.

Required entitlement

custom_domains for domain allow-lists at scale.

Required permissions

environment.update for domains; platform.security.view for abuse admin.

REST API

Admin GET /admin/abuse-events; widget enforces domain + rate limit.

SDK (@startupcore/api-client)

startupCore.security (admin abuse list).

React components

<SecuritySettingsPanel />, <AllowedDomainsEditor />, <RateLimitSettings />.

Security notes

See /security/* guides for auth, webhooks, API keys.

Troubleshooting

429 — backoff using Retry-After header.