Vercel Rate Limits

Overview

Handle Vercel REST API rate limits with proper retry logic, and configure Vercel's WAF rate limiting SDK to protect your deployed API endpoints from abuse. Covers both consuming the Vercel API (outbound) and protecting your own functions (inbound).

Prerequisites

• Vercel CLI installed and authenticated
• Understanding of HTTP 429 status codes
• For WAF rate limiting: Vercel Pro or Enterprise plan

Instructions

Step 1: Vercel REST API Rate Limits

The Vercel REST API enforces rate limits per endpoint. When exceeded, the API returns HTTP 429 with rate limit headers:

HTTP/1.1 429 Too Many Requests
X-RateLimit-Limit: 100
X-RateLimit-Remaining: 0
X-RateLimit-Reset: 1711152000
Retry-After: 60

Known API limits:

Step 2: Implement Retry with Backoff for Vercel API

// lib/rate-limit-handler.ts
interface RateLimitInfo {
  limit: number;
  remaining: number;
  reset: number; // Unix timestamp
}

function parseRateLimitHeaders(headers: Headers): RateLimitInfo {
  return {
    limit: Number(headers.get('X-RateLimit-Limit') ?? 100),
    remaining: Number(headers.get('X-RateLimit-Remaining') ?? 100),
    reset: Number(headers.get('X-RateLimit-Reset') ?? 0),
  };
}

async function vercelFetchWithRetry(
  url: string,
  options: RequestInit,
  maxRetries = 3
): Promise<Response> {
  for (let attempt = 0; attempt <= maxRetries; attempt++) {
    const res = await fetch(url, options);

    if (res.status !== 429) return res;

    if (attempt === maxRetries) {
      throw new Error(`Rate limited after ${maxRetries} retries: ${url}`);
    }

    // Use Retry-After header if present, otherwise exponential backoff
    const retryAfter = res.headers.get('Retry-After');
    const waitMs = retryAfter
      ? Number(retryAfter) * 1000
      : Math.min(1000 * Math.pow(2, attempt) + Math.random() * 1000, 30000);

    console.warn(`Rate limited (attempt ${attempt + 1}/${maxRetries}). Waiting ${Math.round(waitMs)}ms...`);
    await new Promise(r => setTimeout(r, waitMs));
  }
  throw new Error('Unreachable');
}

Step 3: Proactive Rate Limit Avoidance

// lib/rate-limiter.ts
// Track remaining quota and slow down before hitting the wall
class VercelRateLimiter {
  private remaining = 100;
  private resetAt = 0;

  async throttle(): Promise<void> {
    // If near the limit, wait until reset
    if (this.remaining < 5) {
      const waitMs = Math.max(0, this.resetAt * 1000 - Date.now()) + 1000;
      console.warn(`Near rate limit (${this.remaining} remaining). Waiting ${waitMs}ms...`);
      await new Promise(r => setTimeout(r, waitMs));
    }
  }

  update(headers: Headers): void {
    this.remaining = Number(headers.get('X-RateLimit-Remaining') ?? this.remaining);
    this.resetAt = Number(headers.get('X-RateLimit-Reset') ?? this.resetAt);
  }
}

Step 4: Protect Your Own Endpoints — Vercel WAF Rate Limiting

Vercel's WAF provides built-in rate limiting for your deployed functions:

// middleware.ts — WAF rate limiting via Vercel Firewall SDK
import { ipAddress } from '@vercel/functions';
import { checkRateLimit } from '@vercel/firewall';

export async function middleware(request: Request) {
  const ip = ipAddress(request) ?? '127.0.0.1';

  // Rate limit: 100 requests per 60 seconds per IP
  const { rateLimited } = await checkRateLimit('api-limit', {
    key: ip,
    limit: 100,
    window: '60s',
  });

  if (rateLimited) {
    return new Response(
      JSON.stringify({ error: 'Too many requests. Please try again later.' }),
      { status: 429, headers: { 'Content-Type': 'application/json', 'Retry-After': '60' } }
    );
  }
}

export const config = {
  matcher: '/api/:path*',
};

Install: npm install @vercel/firewall @vercel/functions

Step 5: Custom Rate Limiting with Edge Config

// api/rate-limited-endpoint.ts
import { get } from '@vercel/edge-config';

export const config = { runtime: 'edge' };

// Simple in-memory sliding window (per-isolate, not global)
const windowMs = 60_000;
const maxRequests = 50;
const requests = new Map<string, number[]>();

function isRateLimited(key: string): boolean {
  const now = Date.now();
  const timestamps = (requests.get(key) ?? []).filter(t => now - t < windowMs);
  timestamps.push(now);
  requests.set(key, timestamps);
  return timestamps.length > maxRequests;
}

export default async function handler(request: Request): Promise<Response> {
  const ip = request.headers.get('x-forwarded-for') ?? 'unknown';

  if (isRateLimited(ip)) {
    return Response.json({ error: 'Rate limit exceeded' }, { status: 429 });
  }

  return Response.json({ data: 'ok' });
}

Platform Concurrency Limits

Output

• Vercel API calls wrapped with automatic retry and backoff
• Rate limit headers parsed and monitored proactively
• WAF rate limiting protecting deployed API endpoints
• Custom per-IP rate limiting for fine-grained control

Error Handling

Resources

• Vercel Limits
• WAF Rate Limiting
• Rate Limiting SDK
• FUNCTION_THROTTLED
• Concurrency Scaling

Next Steps

For security best practices, see vercel-security-basics.