Also known as: rate limit, throttling, request throttling
Definition
Rate limiting is the practice of capping how many times an endpoint can be called per user, IP, or other identifier within a time window. In Next.js Server Actions, rate limits protect login, signup, password reset, magic links, and any expensive operation against brute-force and enumeration attacks.
Rate limiting tracks the number of requests against a key (user ID, IP, email, action name) and rejects requests once the count exceeds a threshold within a window. A typical login rate limit is five attempts per minute per IP. A password-reset limit is three per hour per email.
At the application layer, inside each sensitive Server Action. An in-memory store works for single-instance dev, but production needs a shared store: Upstash Redis, Vercel KV, or any Redis-compatible service. The rate-limit check runs before any database write, so brute-force attempts cost nothing past the first rejection.
Credential stuffing (testing leaked passwords from breach dumps), account enumeration (figuring out which emails are registered by timing differences in responses), email-flooding via magic-link or password-reset abuse, and resource-exhaustion attacks on expensive endpoints like report generation or AI-call proxies.