Skip to main content
The Network settings page controls how your app handles incoming requests — which origins can call its API, and how aggressively to rate-limit traffic. The settings here are project-wide defaults, scoped per environment. For per-route overrides on a specific endpoint, configure CORS and rate limits on the route itself in Custom APIs.

CORS configuration

Cross-Origin Resource Sharing (CORS) controls which web origins are allowed to call your API from a browser. Add the origins you trust:
  • https://yourapp.com
  • https://*.yourapp.com (subdomain wildcards)
  • http://localhost:3000 (local development)

Rate limiting

Set per-route or global limits to protect your API from abuse and runaway clients:
  • Global limit — total requests per minute
  • Per-IP limit — requests per minute from a single IP
  • Per-key limit — requests per minute per API key
  • Burst — short-term spike allowance

When to tighten

  • After launch, when traffic patterns are stable
  • If you see abuse from specific origins or IPs
  • When introducing public APIs
  • Before announcing a high-traffic event

FAQ

Yes — sensible defaults apply. Tighten or relax as your app’s needs require.
429 Too Many Requests, with a Retry-After header.